I had the same issue renewing a wild card certificate in Aruba ClearPass 6.6
Step 1. Installed Cygwin and OpenSSL on Windows 10
Step 2. Extracted the Private key and PublicKey chain
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.crt
openssl pkcs12 -in yourP12File.pfx -nokeys -out PublicKey.pem
Step 3. In the Aruba ClearPass Policy Manager. In the Menu Administration > Certificates > Trust List the DigiCert Global Root was disabled, the Root Cert has been enabled.
Step 4. The RapidSSL TLS DV RSA Mixed SHA256 2020 CA intermedaite was missing and had to be manually added.
Step 5. Certificate Chain Order
The certificate chain PEM file had to be manually altered as the order was Public Key, Root CA and then Sub CA.
I had to open up the PublicKey.pem file and copy and past the last cert and paste in as the second entry in the file. I used Notepad++ to edit the PEM file.
Step 6. Uploaded new wildcard certificate worked as expected.
------------------------------
Jeremy Gowland
------------------------------
Original Message:
Sent: Sep 09, 2016 07:52 AM
From: Darren Rigby
Subject: Importing a new https ssl cert... problems.
Im trying to upload a new ssl wildcard https server cert as our runs out in a week or so, and keep getting this error:
Certificate chain is invalid. The expected order is Policy Manager Server, Sub CA and Root CA certificates
The cert is from digicert, and both te root and intermediate certs are already installed and expire in 2031 and 2023 respectively. Ive also been on the digicert website and verified that the serial of the installed ones matches the currently available ones. So I was hoping I could simply import a new cert...
The format of the cert is a pfx and I have used openssl to extract both the key and the cert, and tried to import them, and get presented with tte above error.
Based on the error, I assume the system is confirming that the installed root and intermed certs do not match the issued cert? Yet they seem to have been fine the last couple of years, and the certs on digicert website seem to match what we have installed.
I dont know anything about certs, and find it all a bit mind boggling..
Can anyone pont me in the right direction?
Cheers