Wireless Access

last person joined: 34 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Installing server certificate and all the intermediate chain for CA Authorities

Jump to Best Answer
  • 1.  Installing server certificate and all the intermediate chain for CA Authorities

    Posted Feb 28, 2013 07:03 AM

    I post this message here to know if is it possible to install in a 6000 controller a server certificate which can include all the intermediate CA Authorities, I mean I have requested a certified for my controller, but this certificate is not issued by Root CA, there are some intermediate CA and I want to know if is it possible to install the complete chain so when a user go to the captive portal the message " certificate not valid" wount show due to not having some intermediate CA installer in his/her browser.



  • 2.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Feb 28, 2013 08:06 AM

    It sounds like you know how to obtain a public server cert already (CSR, PEM format, etc).  Once you have that, you can take the server cert and then append the intermediate cert to the bottom of the file. Then take that entire file and add it to your controller.  That will give you the server and intermediate certs in one file.

     

    You upload the file as a PEM format and Server Cert certificate type.  Once uploaded you can edit your captive portal, web administration and dot1x authentication settings to reference the new cert.

     

    Thanks,

     

    Ian



  • 3.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Feb 28, 2013 08:26 AM

    Sorry, but I have tried it, appened the intermediate CA certificates at the end of the cert file and at the beginning too, but the controllers always says " Error Uploading Certificate: Error in cert format".

     

    Any other suggestion,  am I doing something bad?

     



  • 4.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Mar 06, 2013 02:58 PM

    which other settings do you use when importing, please show a screenshot or list them all.



  • 5.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Mar 08, 2013 09:12 AM

    OK, let's clarify things a bit more,

     

    I have a server certificate (wifielche_umh_es.crt) issued by a CA in response to CSR from my 6000 controller,

    The complete certificate chain is:

    AddTrustExternalCARoot ->UTNAddTrustServer_CA->TERENASSLCA->wifielche_umh_es, so what I'm trying to do is open my certificate wifielche_umh_es.crt and append at the begining the sequence UTNAddTrustServer_CA->TERENASSLCA->wifielche_umh_es (see wifi_elche jpg). (Three BEGIN-END sequences)

     

    Then, I try to import the certificate into the controller and I get the error.

     



  • 6.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Mar 08, 2013 09:12 AM

    OK, let's clarify things a bit more,

     

    I have a server certificate (wifielche_umh_es.crt) issued by a CA in response to CSR from my 6000 controller,

    The complete certificate chain is:

    AddTrustExternalCARoot ->UTNAddTrustServer_CA->TERENASSLCA->wifielche_umh_es, so what I'm trying to do is open my certificate wifielche_umh_es.crt and append at the begining the sequence UTNAddTrustServer_CA->TERENASSLCA->wifielche_umh_es (see wifi_elche jpg). (Three BEGIN-END sequences)

     

    Then, I try to import the certificate into the controller and I get the error.

     



  • 7.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Mar 09, 2013 07:50 AM

    don't have a controller around to test myself, but have you tried putting the ----BEGIN---- / ----- END ---- lines on seperate lines instead of on the same line as shown? can you import the certificate itself, so without chain, fine?



  • 8.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Mar 11, 2013 04:49 AM

    Hello,

     

    I have tried putting BEGIN--END in different lines with the complete chain:

     

    AddTrustExternalCARoot ->UTNAddTrustServer_CA->TERENASSLCA->wifielche_umh_es   but unsuccessfully.

     

    Putting only the certificate wifielche.umh.es is OK.

     

     



  • 9.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Mar 11, 2013 06:13 AM

    i don't believe you ever want to do: AddTrustExternalCARoot ->UTNAddTrustServer_CA->TERENASSLCA->wifielche_umh_es, so <CA>-<int-CA>-<int-CA>-<cert> either as CA or cert.

     

    but you might want to do <int-CA>-<int-CA>-<cert> and import this as a cert, with format PEM, so not as a CA with format PK7. could you try that?

     

    oh and you probably need the certificate and key for your actual cert.



  • 10.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Mar 11, 2013 08:05 AM

    Sorry for including the CA root,

     

    Now I have tried with UTNAddTrustServer_CA->TERENASSLCA->wifielche_umh_es, and I have tried to import it as PEM but I get the error in "uploading2.jpg", please, note that I have tried to import it as PEM and ServerCert "uploading1.jpg".



  • 11.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Mar 11, 2013 08:59 AM

    This is not an advertisement but you can try to use the SSL converter site ;  https://www.sslshopper.com/ssl-converter.html to combine and convert your certificates:

     

    ssl.png



  • 12.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Mar 11, 2013 03:06 PM

    for the actual certificate, did you create it from a CSR on the Aruba?



  • 13.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Mar 11, 2013 04:14 PM
    Sure!!


  • 14.  RE: Installing server certificate and all the intermediate chain for CA Authorities
    Best Answer

    Posted Mar 12, 2013 06:30 AM
      |   view attached

    OK,

     

    At last, I have uploaded it successfully, the file accepted has been formed by

     

    wifielche.umh.es(final certificate)-->TERENASSLCA-->UTNAddTrustServerCA

     

    adding each Intermediate CA at the end of original certificate (wifielche.umh.es) at new line. (see attached)

     

    Now I don't have the typical message saying the "Invalid certificate" due to not be able to validate intermediate CA.



  • 15.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Mar 20, 2013 03:46 AM

    thanks for posting the solution, might help someone out in the future.



  • 16.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Feb 25, 2017 01:23 PM

    This just help me, i just had the same issue

    Thank you!!

     

    Cheers

    Carlos



  • 17.  RE: Installing server certificate and all the intermediate chain for CA Authorities

    Posted Mar 11, 2013 04:15 PM
    I will try it tomorrow, I will keep you updated