I post this message here to know if is it possible to install in a 6000 controller a server certificate which can include all the intermediate CA Authorities, I mean I have requested a certified for my controller, but this certificate is not issued by Root CA, there are some intermediate CA and I want to know if is it possible to install the complete chain so when a user go to the captive portal the message " certificate not valid" wount show due to not having some intermediate CA installer in his/her browser.
It sounds like you know how to obtain a public server cert already (CSR, PEM format, etc). Once you have that, you can take the server cert and then append the intermediate cert to the bottom of the file. Then take that entire file and add it to your controller. That will give you the server and intermediate certs in one file.
You upload the file as a PEM format and Server Cert certificate type. Once uploaded you can edit your captive portal, web administration and dot1x authentication settings to reference the new cert.
Sorry, but I have tried it, appened the intermediate CA certificates at the end of the cert file and at the beginning too, but the controllers always says " Error Uploading Certificate: Error in cert format".
Any other suggestion, am I doing something bad?
which other settings do you use when importing, please show a screenshot or list them all.
OK, let's clarify things a bit more,
I have a server certificate (wifielche_umh_es.crt) issued by a CA in response to CSR from my 6000 controller,
The complete certificate chain is:
AddTrustExternalCARoot ->UTNAddTrustServer_CA->TERENASSLCA->wifielche_umh_es, so what I'm trying to do is open my certificate wifielche_umh_es.crt and append at the begining the sequence UTNAddTrustServer_CA->TERENASSLCA->wifielche_umh_es (see wifi_elche jpg). (Three BEGIN-END sequences)
Then, I try to import the certificate into the controller and I get the error.
don't have a controller around to test myself, but have you tried putting the ----BEGIN---- / ----- END ---- lines on seperate lines instead of on the same line as shown? can you import the certificate itself, so without chain, fine?
I have tried putting BEGIN--END in different lines with the complete chain:
AddTrustExternalCARoot ->UTNAddTrustServer_CA->TERENASSLCA->wifielche_umh_es but unsuccessfully.
Putting only the certificate wifielche.umh.es is OK.
i don't believe you ever want to do: AddTrustExternalCARoot ->UTNAddTrustServer_CA->TERENASSLCA->wifielche_umh_es, so <CA>-<int-CA>-<int-CA>-<cert> either as CA or cert.
but you might want to do <int-CA>-<int-CA>-<cert> and import this as a cert, with format PEM, so not as a CA with format PK7. could you try that?
oh and you probably need the certificate and key for your actual cert.
Sorry for including the CA root,
Now I have tried with UTNAddTrustServer_CA->TERENASSLCA->wifielche_umh_es, and I have tried to import it as PEM but I get the error in "uploading2.jpg", please, note that I have tried to import it as PEM and ServerCert "uploading1.jpg".
This is not an advertisement but you can try to use the SSL converter site ; https://www.sslshopper.com/ssl-converter.html to combine and convert your certificates:
for the actual certificate, did you create it from a CSR on the Aruba?
At last, I have uploaded it successfully, the file accepted has been formed by
adding each Intermediate CA at the end of original certificate (wifielche.umh.es) at new line. (see attached)
Now I don't have the typical message saying the "Invalid certificate" due to not be able to validate intermediate CA.
thanks for posting the solution, might help someone out in the future.
This just help me, i just had the same issue
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.