Security

I am trying to setup  Intermediate CA for Onboarding devices for WiFi. I select the second option Intermediate CA and using 2048-bit RSA and SHA-256. When I take the CSR and rekey it in Godaddy it say that it is invalid. I spoke to Godaddy and they say the CSR looks fine and they are not sure why it is not working. Can anyone help me with this issue?

You have your own intermediate CA from GoDaddy?

Let me clarify, I am trying to setup Certificate Authority in Clear Pass using the Intermediate CA option. We will use this for onboarding employee devices to WiFi. I was able to do this with a self signed cert but when it gets loaded on the users device the certificate profile states it is not verified.(See screen shot) We would like the cert to show as verified on the users device. I opened up a ticket with a Clear Pass engineer and they told me that I needed to purchase a certificate and import into the Intermediate CA in Clear Pass that I created. Godaddy is not accepting the CSR that was generated in the Clear Pass system.

You can just upload your CPPM HTTPS certificate as a code signing certificate in Onboard and select is as macOS/iOS signing certificate in the provisioning setttings.

To follow up on your original question, the trust of the profile has nothing to do with the Onboard CA. The Onboard CA issues the client certificates and does not need to be trusted by the client, just by ClearPass.

 

Also, you won't be able to request a publicly trusted intermediate CA certificate with any Certificate authority as that would effectively allow you to generate any number of https certificates that would be trusted by any browser. People would love to have such an intermediate for intercepting SSL connections, but that would break the whole SSL trust model as only trusted CAs should be able to generate trusted certificates.

 

As Tim mentioned, you are probably looking at uploading a Profile signing certificate rather than an intermediate Onboard CA.

 

This can be configured in Onboard » Deployment and Provisioning » Provisioning Settings

Then why is there an Intermediate option for setting up a new certificate authority. Should I just be using the Local Certificate Authority and then apply my cert(godaddy cert) under the provisioning settings.The goal is when an employee onboards a device and they install the enrollment profile it says verified. 

The CA configuration has nothing to do with profile signing. As I mentioned, just use the CPPM HTTPS cert as the profile signing cert.

The option to create an intermediate CA for Onboarding is for corner case scenario's like where a customer insists to have the Onboarding CA as an Intermediate in their Enterprise CA. While it sounds nice, that is a bad idea in most cases. I would always create the Onboard CA as an isolated 'Root' and deviate from that only if you know exactly what the security implications are: the client certificates that users receive on their unmanaged devices are trusted throughout the company by any device that trusts the enterprise PKI. Even if you know the implications, make sure the security team agrees that you need to have an intermediate.

 

Have you tried already to upload your HTTPS Server certificate as a profile signing certificate? That should fix your profile trust.

I set the option to use my https certificate as a profile signing certificate and it now shows verify before you install it. Once you click install it then says not verified. Why is it going from verified to not verified? See the attached screen shot.

I tried on another device and its showing verified even after installed. Thank you so much for your guidance. I lost a lot of hours with Tech Support. I will post here first next time.