Security

Reply
Highlighted
Occasional Contributor II

Web GUI certificate error - X509 certificate is needed to access this system

Hi!

 

I am trying to setup up certificate based authentication for the Aruba Mobility Controller Web GUI but I am still receiving the error that my client browser doesn't seem to have the X.509 certificate it needs.

 

I have imported the client certificate into the browser successfully  and also installed the client certificate in the controller (as Trusted CA) and set the Web GUI access to be based only on client certificate.

 

I noticed initially in the browser imported certificate that it didn't have "client authentication" box checked, which I have now changed.

 

Any ideas why I am still getting the error?

 

Have I imported the client cert as the wrong type?

 

Last question, isn't it possible to have both cert-based and username/password authentication methods active at the same time? Seems to be one or other.

 

Thanks in advance,

Scott

 


Accepted Solutions
Highlighted
Occasional Contributor II

Re: Web GUI certificate error - X509 certificate is needed to access this system

Hi Marcel,

 

Thanks for replying. The server certifcate is not the problem and was set to the default one.

 

The problem was related to the clients certificate which I imported. Initially I had only imported just the public key signed certificate but not the private key.

 

To solve this I created using openssl a PKCS#12/PFX file which contains both the private key as well as the certificate. Once I did this and reloaded the browser, the SSL handshake including the client certificate authentication worked and I received the login button.

 

Regards,
Scott

View solution in original post


All Replies
Highlighted
Occasional Contributor II

Re: Web GUI certificate error - X509 certificate is needed to access this system

HI Scott,

 

We see this error when there are no Management Users with Certificate Authentication configured.

 

If you are using 8.x controller, you can go to Configuration->System->Admin->Management User->Show users with certificate authentication

 

Here add the username, role, Root CA and serial number of the client certificate(without delimiters or spaces)

 

main.pngsub.png

 

Highlighted
MVP Expert
MVP Expert

Re: Web GUI certificate error - X509 certificate is needed to access this system

Hi Scott,

 

Did you set your certificate in the "WEBUI AUTHENTICATION" part.?

See attachment...

 

Hope this help you!

 

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Highlighted
Occasional Contributor II

Re: Web GUI certificate error - X509 certificate is needed to access this system

Hi Marcel,

 

Thanks for replying. The server certifcate is not the problem and was set to the default one.

 

The problem was related to the clients certificate which I imported. Initially I had only imported just the public key signed certificate but not the private key.

 

To solve this I created using openssl a PKCS#12/PFX file which contains both the private key as well as the certificate. Once I did this and reloaded the browser, the SSL handshake including the client certificate authentication worked and I received the login button.

 

Regards,
Scott

View solution in original post

Highlighted
Occasional Contributor II

Re: Web GUI certificate error - X509 certificate is needed to access this system

Hi!

 

Thanks for your reply. I had already setup a mgmt user with certificate authentication as you described.

 

I managed to fix the problem this morning and it turned out to be a client certificate issue in the browser, I hadn't imported the private key for self-signed certificate. To do this I had to create a PKCS#12 file which contains both the private key and certifcate and imported this.

 

Once done, I reloaded the browser and immediately the login prompt was displayed and I could connect with the setup user account.

 

Thanks for your support,

Scott

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: