Super Contributor I

Certificate Chain Was Broken for Onboarding Hosts When CPPM Cert Replace

My certificate chain for CPPM:

  • Corp. (Self-signed) Root-CA (1)
    • Corp. Intermediate CA (2)
      • ClearPass Policy Management (2a)
      • Domain hosts (2b)

My Certificate chain for Onboarding with CPG is the Intermediate CA:

  • Corp. (Self-signed) Root-CA (1)
    • Corp. Intermediate CA (2)
      • ClearPass Guest/Onboarding Intermediate CA (4)
        • Onboarded hosts (4a)

Notes on the numbers:

  • 1: RootCA
  • 2 and 4: IntermediateCA
  • 2x and 4x: hosts that have certs issue by 2 or 4

Problem: When CPPM radius certificate (2a) expired and new certificate was installed, although cert (1), (2) and (4) were not changed,  all onboarded hosts cert (4a) chain were broken and required re-onboarding to work.  All domain hosts with cert (2b) are working normal as expected.


Any explains? Design flaw? Better design suggestions?



~Trinh Nguyen~
Boys Town
Guru Elite

Re: Certificate Chain Was Broken for Onboarding Hosts When CPPM Cert Replace

That is probably because your onboard client is configured to trust the Server Specifically, and not just the Root CA that you are issuing it from.  if it only trusts a specific server, if that server is not authenticating, it will not work.


In Onboard, under Network Settings> Enterprise Trust, manually configure it to trust the CA Certificate, and any Server Cert that has been issued by tha CA will be trusted by the client:



*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos

Re: Certificate Chain Was Broken for Onboarding Hosts When CPPM Cert Replace

Did you keep the common name (CN) on the new ClearPass RADIUS certificate the same? If you change it (single change character is enough), you will get the results that you see.


Try to avoid changing RADIUS certificates as much as possible, so use certificates that live as long as possible. And if you change the cert, make sure the certificate hierarchy (so root CA) and at least the CN is exactly the same for the new cert.


I see that you have your Onboard CA for issueing client certificates as an intermediate to your enterprise root. That is something I would avoid,unless you have a very good reason to bind Onboard in your enterprise PKI; and understand the consequences like that any Onboard generated certificate has full authority in the enterprise trust scope. I prefer to keep the Onboard CA as a standalone. Makes it easier to deploy, less dependencies, and no worries about unintended trust for onboard client certs in your enterprise PKI.

If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Super Contributor I

Re: Certificate Chain Was Broken for Onboarding Hosts When CPPM Cert Replace

Thank you both for very well writen solutions and suggestions. 


Herman, it likes the light bulb just turns on in my head.  I was unclear about certificates and trust for Onboarding.   I thought for BYOD to access enterprise secured network, they must be trust by enterprise RootCA because I can only install one Radius ClearPass certificate for both enterprise domain hosts and for BYOD.  So I requested ClearPass Guest to be Intermediate CA in enterprise PKI. 


Now looking at the Network Settings >> Enterprise Trust that Colin pointed out, the automatic setting will trust all ClearPass servers in the cluster.


It would be a lot easier to configure CPG as a RootCA to issue certificates to BYOD.     


Best regards,

~Trinh Nguyen~
Boys Town
Search Airheads
Showing results for 
Search instead for 
Did you mean: