Hi all,
First, let me preface this by saying I know pretty much NOTHING about certificates, including many of the acronyms. (Please don't shoot me... never had cause to learn about certificates. I DO know what SSL stands for, though! :) ) So, I may need a bit of hand-holding with a solution. But here's what I have, and where I'm running into a problem.
I realize this may make things more complicated, but we have a wildcart certificate for our domain through DigiCert. They call it their WildCard Plus product. It's so that we can buy one certificate and use it on ALL of our web servers that require SSL certificates. DigiCert lets you request a "duplicate" certificate with the common name of the specific server as one of the SANs. The certificate's primary name is still *.powayusd.com. So in this case, I have a duplicate certificate for cppm.powaypusd.com. I downloaded the certificates from DigiCert and got 3 files: TrustedRoot.crt (I believe this is the certificate for the DigiCert root CA); DigiCertCA.crt (intermediate CA, I believe); and star_powayusd_com.crt (the actual SSL certificate.)
First problem: In CPPM (not Onboard or Guest), under Administration --> Certificates --> Server Certificate, the first entry has the certificate for *.powayusd.com, the second entry (Intermediate CA Certificate) has the DigiCert intermediate CA, and the third entry (Root CA Certificate) has the DigiCert root CA. When I connect a device to our secure server using simple username/password authentication (e.g. an iPad, tap on SSID, enter username and password, accept certificate, done), the certificate comes up and says "Not Trusted." This is on an iPad. The name of the certificate shows up as "*.powayusd.com." I'm not sure if this is because the iPad doesn't trust DigiCert as a CA, or if it's a complication of using the wildcart certificate, or something else.
Second problem: In Onboard --> Certificate Authorities, I defined a new CA. When I created the new CA, I choose the "Root CA" mode. Fast forward to creating a Configuration Profile and Provisioning Settings. When I go to onboard my Mac Mini, after importing the certificate, Keychain Access shows the "ClearPass Onboard Local Certificate Authority" but shows that it is not trusted. (I assume this is because I'm using ClearPass Onboard as the root CA.) Then, after installing my enrollment profile, my Mac connects successfully, but the profile shows "Unverified" next to the profile name in System Preferences --> Profiles. Since, when onboarding devices, our staff would much rather see "Verified" than "Unverified," I'm trying to figure out how to make this happen.
I have tried creating a new CA in Onboard, using both the "Intermediate CA" and "Imported CA" modes.
When I chose "Intermediate CA," it created a new CSR. I copied that CSR, went to DigiCert, requested a duplicate certificate, pasted the CSR, gave it the name (cppm.powayusd.com), and a few minutes later, I had a new certificate to download. It contained the same 3 filenames as for ClearPass up above. When I try to import the Internediate CA file (DigiCertCA.crt), it comes back and tells me "The private key does not correspond to any of the available certificates." Never mind that it never prompted me for a private key file; there as only one "Browse" button next to "Certificate." If I try to import the Trusted Root file, I get the same message. If I try to import the star_powayusd_com.crt file, I get "Certificate is not a CA," which of course, it's not.
When I chose "Imported CA," it wants both a certificate file and a private key file. I don't have a private key file. When I try uploading any of the .crt files, I get the same "The private key does not correspond..." message.
As I mentioned, and as I'm sure you've figured out, I don't have a clue how to proceed with this. Any advice will be greatly appreciated. Thanks!