Hi dear community,
I wanted to test Onboard with my existing windows pki to issue EST-certificates to my switches.
I used this good video to get me started: EST and RADSEC with ClearPass, AOS-CX, and AOS 10 Gateways (youtube.com)
At first everything looked great and all as a requesting a cert from within clearpass worked fine (see screenshot below).
The request is also shown under "issued certs" within the windows pki.
But as soon as I tried to request a cert via est from a CX-switch problems startet.
1: Within the est-profile the url wont allow ".local"-domains to be used. As my clearpass-cert is issued to a ".local"-domain I added the IPs of clearpass to the SAN and then this problem was resolved.
--------------------------------------
2: The real problem: The certificate-requests are not working as expected and the cert is always pending.
The switch-log is not much help:
certmgr[992]: Event|7717|LOG_ERR|UKWN|1|Failed to enroll certificate estcert with EST server est-enroll
certmgr[992]: Event|7708|LOG_INFO|UKWN|1|Certificate *.aruba.local verified and accepted
certmgr[992]: Event|7723|LOG_INFO|UKWN|1|Certificate *.aruba.local is cryptographically validated by CA certificate ArubaRootCA
Also debug is also not of much help:
|certmgr|LOG_ERR|UKWN|1|PKI|PKI_MGMT|Failed requesting /cacerts for EST profile est-enroll. If device still initializing, it is expected. It will try again at cert enrollment with this EST profile.
Within Clearpass I can see the login of the user being a success.
Within the CA there are the following certs issued (which are the CN used by clearpass for the SCEP process):
What is the best way to troubleshoot all of this? Is there any obvious error you can see?