You didn't actually import the root CA, you imported the intermediate CA as a TrustedCA.
IntermediateCA = any/all certificates for intermediate issuing CAs in the trust chain
Also, you're better off placing those images directly in this thread rather than an uploaded document.
Original Message:
Sent: Jan 16, 2025 09:50 AM
From: Rajat Sharma
Subject: Configure download user role in aruba controller from clearpass
Hi
Yes we have exported the CA bundle and uploaded this to controller Trusted list. I also attached the document of configuration for your reference .
Original Message:
Sent: 1/16/2025 9:26:00 AM
From: chulcher
Subject: RE: Configure download user role in aruba controller from clearpass
Have you added the CA bundle to the trusted list on the controller?
If you want the controller to trust a certificate presented by another device then the controller has to have a TrustedCA/IntermediateCA imported that matches the trust chain of the certificate presented. ServerCert is for certificates that you want the controller to use when communicating with other devices.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Jan 16, 2025 06:15 AM
From: Rajat Sharma
Subject: Configure download user role in aruba controller from clearpass
Hi
we did same as you said but still facing same error . please check the attached document to review the config.
hanks team for helping us...
Original Message:
Sent: Jan 16, 2025 05:38 AM
From: GorazdKikelj
Subject: Configure download user role in aruba controller from clearpass
Hi.
Just export trusted chain bundle as PEM and import it to controller as Trusted Cert.

Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: Jan 16, 2025 05:33 AM
From: Rajat Sharma
Subject: Configure download user role in aruba controller from clearpass
Hi,
I am trying to export clearpass ca certificate which is in .12 format.When i am trying to import this on mobility controller as trusted ca it is given ca flag error.
Original Message:
Sent: Jan 16, 2025 05:00 AM
From: GorazdKikelj
Subject: Configure download user role in aruba controller from clearpass
Looks like your trust CA chain is not complete or missing on the controller.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: Jan 16, 2025 04:54 AM
From: Rajat Sharma
Subject: Configure download user role in aruba controller from clearpass
please check it once again the logs file
Original Message:
Sent: Jan 16, 2025 03:53 AM
From: Herman Robers
Subject: Configure download user role in aruba controller from clearpass
I don't see certificate errors. Here is a video on Downloadable User Roles on controllers, it covers it combined with downloadable roles on AOS-CX, but also has controllers.
Are you aware that downloadable roles for Instant are different from downloadable roles on controllers? You should have separate configuration for each of them.
Personally I'm not a fan of Downloadable Roles on controllers as you configure controllers centrally in most cases and if a role is already on the controller there is no need to download it and in most cases it just adds complexity.
If you have errors on the certificate, check that you have your ClearPass configuration based on the FQDN (domain name) not on IP address; also make sure that the RootCA that issued the ClearPass Web Server certificate is added as Trusted CA in your controller and that ClearPass only has either RSA or ECC enabled for it's Web server certificate.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 16, 2025 03:39 AM
From: Rajat Sharma
Subject: Configure download user role in aruba controller from clearpass
facing this issue on the controller
Original Message:
Sent: Jan 16, 2025 02:50 AM
From: Rajat Sharma
Subject: Configure download user role in aruba controller from clearpass
Hi Team our download user role is working fine with Aruba Instant , but we want to do also with aruba controller clearpass is pushing the roles to the controller but when i check logs on controller it is giving regarding the certificate. could you provide me full document to achieve this with proper certificate and configauration.