I wanted to know if certain third party / public certs work better than others to Onboard iOS devices : Verisign, GoDaddy , etc...
I know I can go by this list : http://support.apple.com/kb/ht5012 but just wanted to see what other have experienced
I have to stay neutral on this but a quick note. :)
Is if you are using a CPPM that is running any version before 6.3 you will need to make sure the Root CA you choose supports OID to the certificate (id-kp-eapOverLAN) for the CPPM server cert.
Windows decided to change the requirements as of 8.1..:(
I have a Root CA signed server cert that was created from a CSR made in CPPM 6.3.1.
I does not include the extension to support Windows 8.1.
This seems to be an oversight.
My experience with certs is that you request extensions in the CSR. The CA doesn't change your certificate request it just signs it.
If you look at a CSR with openssl you can see what extensions have been requested.
So is that incorrect for this extension?
The problem is if we require that attribute then it severely limits who the customer can get a certificate from. It is only windows 8.0> devices that have this requirement.
This way the customer just needs to request that the attribute to be included by the signing CA or not allow 8.1 devices to be onboarded. Most security concerned customers will not want to have a public CA sign the Radius certificate only the HTTPS. That is why as of 6.3 you can have two separate certificates and we add ID-KP in our built in PKI that you can use the sign the radius certificate.
Ah that limitation makes sense.
The trouble is that creating the server certs with OnBoard does not seem to be a universal solution. If all your devices are onboarded it's fine since they will have the onboard CA installed. But if you have non-onboarded services your HTTPS/RADIUS certs will be signed by an unknown intermediate CA and will fail cert validation on the client.
In my understanding so far I think there's two solutions:
1) buy separate Root-CA signed certs for OnBoard and server certs using the inbuilt CSR mechanism for both
2) create a custom CSR using openssl that includes both the Win8.1 ext and the CA ext, install the root CA signed cert in both PM and OB
Fine for staff, but won't work in one of our use cases which is free public wifi.
For clarity can your respond about the CSR requiring the extension or not?
Free but self-registered wifi, so a user still hits guest and we don't the general public to get a certificate error :)
I think you are saying that there is a 3rd solution which is:
- have a completely separate HTTPS cert, signed by a well-known Intermediate CA
- have a RADIUS cert signed by the OnBoard Local CA
But what if you have other 802.1x services that are not on-boarded? Same problem - the 802.1x clients will not have the OnBoard CA installed and will not validate the RADIUS cert.
So we are back to needing a RADIUS cert that is signed by a well-known intermediate CA and again the problem is that the internally created CSR doesn't have the right attribute. This goes back to my point about it not being a universal solution.
> That is why as of 6.3 you can have two separate certificates and we add ID-KP in our built in PKI that you can use the sign the radius certificate.
Giving this a go.. How does the signing work? I can create a CSR or self-signed cert in PM, but can't see how I sign it with the local CA.
edit: nevermind found it. I still think this will be an issue if you are supporting an onboard and a non-onboard 802.1x service but good enough for the moment
If you do a csc from CPPM make sure you download both the CSR and the PKEY file.
1. If you havent already creat and new CA
2. Edit the CA settings for how long you want the certs to be valid.
3. click import cert
4. tell it to issue cert imedeately
5. export... I use PKCS7 because it includes the full trust chain.
6. Import into CPPM
I'm running into an issue. My thawte cert was issued for my VIP in my 5k cluster. However, it doesn't have id-kp-eapOverLAN option.
When trying to change my radius cert to be self signed, I get the error that CPPM can't use self signed certs for RADIUS in a cluster.
Is this normal?
So...any suggestion other than not allow windows 8.1 or remove the VIP?
Are you using EAP-TLS / Onboard or just PEAP ?
doing EAP-TLS / OnBoarding
Troy - so if I sign it with OnBoard (like you show on page 2), I will be able to use the cert for radius and my VIP?
Thank you! That worked perfectly.
got to love certs!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.