Security

Hi there,

I have a customer who has a Public CA signed certificate in ClearPass for HTTPS. However I am getting the warnings on ClearPass:

"The ClearPass HTTPS server root certificate is not trusted by Apple. This will cause enrollment over HTTPS to fail on iOS devices."

Windows and Android devices have no issues trusting the ClearPass captive Portal. And even when I browse to the portal (captive portal doesn't automatically popup on Apple) the site is secure.

Although I am getting trust warnings when using OnBoard with IOS devices - but I don't yet have an trusted CA signed EAP cert, so I suspect this is the issue. When I enter the site in various SSL checkers on the Internet, the IOS emulation on all versions says that it is trusted?

It's a 'Sectigo' CA certificate (formerly COMODO). I only see the serial number of the Sectigo Root CA (4C AA F9 CA DB 63 6F E0 1F F7 4E D8 5B 03 86 9D) in the list below.

https://support.apple.com/en-au/HT209144#trusted

Why would ClearPass present me with those errors?

-Brett

AFAIK your onboard certificate does not need to be publicly signed (if you're talking about the device certificate root and intermediate).

I believe the proper way is to use the same publicly signed certificate for HTTPS and EAP. Are you including the full chain when uploading to CPPM? The way I've done it is to have the CSR generated off clearpass, and then uploading a PKCS12 .p12 file to your clearpass boxes. I use multiSAN.

The first thing to check is to make sure you're uploading the full chain into CPPM.

The full chain for the HTTPs certificate exists in ClearPass -

Here's the error I am talking about (in OnBoard) -

It says it's refering to HTTPS and NOT EAP. But as I said, Apple devices CAN browse to the ClearPass FQDN with no issues, so it is trusted by Apple.

I have told the customer to purchase a multi-SAN cert to cover both ClearPass servers and will use this for EAP purposes.

Is the above error referring to EAP and not HTTPS? Despite it saying HTTPS? I guess I will know once the new EAP cert is uploaded. If it is an EAP error, it just would have saved a lot of confusion if it referred to EAP and not HTTPS.

-Brett

You need to go into the Trust List and enable that CA so CPPM trusts it. Enable it and allow for EAP and Others. Also, if your intermediate isn't in there, upload that and also enable and allow.

That's your issue.

Without sending you screenshots (I'm offsite), the Root CA for the EAP cert is definitely in the cert store and enabled. The selected RADIUS/EAP cert uses that very same Root CA. There is no intermediate.

My real question is though... Do I have a problem with the HTTPS cert given my error above? Or is the wording of this error incorrect? If the error is actually referring to EAP - then I don't care right now. A new

If it is a HTTPS error as it says, I want to fix it (despite no current issues with HTTPS from my clients - captive portal doesn't display any cert errors).

-Brett

Is your intermediate cert in the trust list as well?