Security

 View Only
Expand all | Collapse all

Captive portal certificate error with wildercard cert

This thread has been viewed 78 times
  • 1.  Captive portal certificate error with wildercard cert

    Posted Jun 06, 2023 12:06 PM
    Edited by OESTech Jun 06, 2023 12:10 PM

    Hi All,

    I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone.  I have a Digicert wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert." 

    Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com

    I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.

    I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.

    For Clearpass, I installed the wildcard intermediate and root in the Trusted list.

    When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com."  If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."

    Does this need Internet access to validate the certificate?  My Guest-logon role only allows internal access to Clearpass.  Am I using the incorrect web site for the captiveportal login?

    Thanks for your help



  • 2.  RE: Captive portal certificate error with wildercard cert

    Posted Jun 06, 2023 12:09 PM

    BTW, My Clearpass server has its own certificate clearpass.domain.com.  It's not using the wildcard




  • 3.  RE: Captive portal certificate error with wildercard cert

    Posted Jun 06, 2023 06:33 PM

    generally when the client first connect to Guest  network the initial splash pages comes from ClearPass guest. is that when the client is getting the warning?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 4.  RE: Captive portal certificate error with wildercard cert

    Posted Jun 06, 2023 06:39 PM

    Thanks for the reply.  No.  I get the Clearpass captive portal page.  I enter my Guest credentials, click connect, then I get the warning.




  • 5.  RE: Captive portal certificate error with wildercard cert

    Posted Jun 06, 2023 06:47 PM

    in the weblogin page that you have configured on ClearPass guest, what hostname are you using in the "Login" section of that weblogin?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 6.  RE: Captive portal certificate error with wildercard cert

    Posted Jun 06, 2023 06:54 PM

    I beleve this is the setting:  my understanding this is what to use if you're using a wildcard certificate.




  • 7.  RE: Captive portal certificate error with wildercard cert

    Posted Jun 06, 2023 06:58 PM

    ok this setting is correct, so now the controller should have a wildcard cert with that domain. 

    what is the SAN field of the wild card cert that you have installed on the controller for captive portal usage?



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 8.  RE: Captive portal certificate error with wildercard cert

    Posted Jun 06, 2023 07:03 PM

    oh.  I didn't add a SAN when I bought it.  Will I need to have it reissued with a SAN that reads captiveportal-login.domain.com?  I would like to use this for my Clearpass server too.  Maybe I should have both names added?




  • 9.  RE: Captive portal certificate error with wildercard cert

    Posted Jun 06, 2023 07:09 PM

    yes you need SAN field for wildcard certs and you could use it for your clearpass node as well. 

    no you should not add captiveportal-login.domain.com as a SAN. 

    "captiveportal-login" just tells the controller / IAP to use their wildcard cert for captive portal redirection.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 10.  RE: Captive portal certificate error with wildercard cert

    Posted Jun 07, 2023 12:57 PM

    Thanks for your help ariyap.  I was able to reissue the certificate with the SANs.  I've installed it on the controller and assigned it to the captive portal.  But I'm still getting the error with the new certificate.  Any other ideas?




  • 11.  RE: Captive portal certificate error with wildercard cert

    Posted Jun 07, 2023 06:50 PM

    you should not add captiveportal-login.domain.com as a SAN. 



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 12.  RE: Captive portal certificate error with wildercard cert
    Best Answer

    Posted Jun 13, 2023 11:43 AM

    Hi,

    I think I figured it out.  You have to import the CA bundle into the controller.  I was uploading a Root, Intermediate, then the certificate with private key.  But the way to do it is import the certificate bundle with the private key and now it's working.  Just a note for anyone who sees this in the future.