Aruba Central

 View Only
last person joined: 2 days ago 

Expand all | Collapse all

ClearPass EAP server side Digicert certificate not trusted by Apple iOS devices

This thread has been viewed 26 times
  • 1.  ClearPass EAP server side Digicert certificate not trusted by Apple iOS devices

    Posted Jan 19, 2023 10:52 AM
    Hi  All

    As the tile says, I am facing a problem where Clearpass EAP(server) certificate CA
    is not supported by latest iOS devices.

    My organization is using <ClearPass Guest 6.10.6.186545 [Cloud] on C3000V platform>.

    We are providing Wi-FI(WPA2 Enterprise) to our customer with ClearPass as the RADIUS server.
    Our authentication method is EAP-PEAP.

    Above ClearPass server uses <DigiCert Global Root G2> as a root certificate.
    The serial number of this certificate is as follows:
    <08:5f:94:c0:2d:85:7b:e8:cc:14:ff:53:ed:a2:3e:2a>

    iOS 16 for instance, trusts the same <DigiCert Global Root G2> as a root certificate
    but with a different serial number(so a different certificate in the end, validity is different as well).
    The serial number of the root Digicert certificate that iOS 16 devices trust is as follows:
    <03:3a:f1:e6:a7:11:a9:a0:bb:28:64:b1:1d:09:fa:e5>

    I would like to know what can I do to remedy this situation?

    Can I, for example, import the latest <DigiCert Global Root G2> certificate in ClearPass?

    If yes, what will happens with older iOS devices that still trusts this old <DigiCert Global Root G2>
    root certificate?

    TIA!




  • 2.  RE: ClearPass EAP server side Digicert certificate not trusted by Apple iOS devices
    Best Answer

    EMPLOYEE
    Posted Jan 20, 2023 08:34 AM
    These are two different certificates.

    I think you will find here that the certificate you are referencing on the ClearPass server is actually the DigiCert Global G2 TLS RSA SHA256 2020 CA1 certificate. This is an intermediate certificate which signs the server certificate you have installed on ClearPass. The root certificate for this is DigiCert Global Root G2. 

    It is likely that you will find the DigiCert Global Root G2 is already in the ClearPass certificate trust store. The serial number should show as 4293743540046975378534879503202253541, which is a decimal conversion from its hex equivalent 33AF1E6A711A9A0BB2864B11D09FAE5.

    Something else is going on here. I think I've seen someone else raise an issue with iOS 16 devices and EAP. It might be worth opening a TAC case to see if they can help get to the bottom of the issue with you.


  • 3.  RE: ClearPass EAP server side Digicert certificate not trusted by Apple iOS devices

    Posted Jan 25, 2023 12:08 AM
    Hi ProbeRequest

    Thank you for your answer and sorry for the delay with mine.

    I could verify that what I thought was the root certificate was in fact a CA intermediate certificate.
    I also could verify that this intermediate CA certificate is still supported by Digicert.

    I also could verify that DigiCert Global Root G2 is in ClearPass truststore.

    So the certificate for our server for the EAP-PEAP authentication
    is issued from a valid intermediate CA certificate;
    and this intermediate CA certificate is issued from DigiCert Global Root G2 certificate
    (which is valid as well).

    So it should be valid

    As you advised, I think I will open a TAC with ClearPasss.

    Again thank you for your input.

    Cheers!




  • 4.  RE: ClearPass EAP server side Digicert certificate not trusted by Apple iOS devices

    Posted Feb 26, 2023 08:18 PM

    Hi All,

    Just for the posterity and somebody in the same situation;

    I opened a case with ARUBA TAC and the conclusion is as follows:

    -iPhone devices need the infrastructure certificate

     installed via MDM or AppleConfigurator

    <https://support.apple.com/en-in/HT204477#:~:text=If%20you%20want%20to%20turn,Mobile%20Device%20Management%20(MDM).>

    Cannot installed the cert manually via downloading it from HTTP server.

    So, even if your certificate is a legit one signed by a certificate authority,

    if you do not install it on the iPhone device, 

    "Not Trusted" message will not disappear.

    Cheers!