Wireless Access

I just installed a cert from a trusted CA, but was still getting an untrusted CA warning.  The cert provider instructions included a note saying the intermediate cert should be installed as well.  I looked for how to do that and saw a post that said to just append it to the cert file and upload it to the controller.  The controller took it, but now it's giving "securelogin.arubanetworks.com" for the captive portal - which makes me think I did that wrong.  Doesn't the controller pull the hostname from the cert?

 

"To correctly install your certificate, it is important to
configure the server to use the intermediate DigiCertCA.crt
file in addition to the acme.company.crt"

Did you set that certificate as teh captive portal cert?

Yep!  And after I made the change to append the intermediate cert, I went and made sure the new one I uploaded with the intermediate cert was selected.

 

The file is a .crt file, pem format and it looks like this:

 

-----BEGIN CERTIFICATE-----
blahblahblah server cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blahblahblah intermediate cert
-----END CERTIFICATE-----

 

When I view the cert in the controller, I see the correct hostname and details of the cert.

Try nesting all 3 certificates into the server cert file (server, int, root). You’ll also want to import the intermediate and root individually to the controller.

I hadn't done this yet.  When I posted the screen shot, I didn't see this reply.

 

When you say nest them, you mean all within the same file, correct?  And when you say to import the intermediate and CA, would I import them as trusted CAs?

Correct, combine them all into the same file in the order of server cert, int, root and import as the server cert.

Then import the intermediate as type Intermediate CA and the root as type Trusted CA.

Done.  I'll have to wait til tomorrow for the user to  be on site again to test.

 

I'll update the thread tomorrow.

 

Thanks!

 

 

I just got confirmation from the user that this worked.  No cert warnings, and correct CP URL.

 

Only thing though - is it officially necessary to have the whole chain in the cert AND upload the intermediate and CA to the controller separately?  Or is that just for good measure?

 

Thanks!

It's best practice these days as some browsers are fine and others bark.

Okay, that makes sense.  I will put notes in my design log to make sure that's how I configure certs that require reference to intermediate CA's.

 

Thanks!

This is the error I'm seeing now.  The white empty space is the hostname of our controller that the cert is for.

 

Do you have multiple controllers?

There is just one physical controller (7005) in this location and it's not tied to our other Aruba controllers in any way (local/master, etc.).