Network Guys

Share your knowledge!

Aruba Clearpass problem with certificate chain

Hello Guys,

Today I am going to talk about a problem with my company’s wildcard certificate.

Because I wanted to display the Clearpass captive portal without certificate errors. I tried to import our company wildcard certificate. And in doing so, I encountered the following problem:

Here we have the problem that the certificate chain for the Clearpass is in the wrong order. Many systems like the Aruba Mobility Controller or Sophos SG don’t seem to care if the chain goes from root to server certificate or from server certificate to root CA. But not the Clearpass :D

The solution

The only thing that helps here is to rebuild the certificate chain. First, we need the root CA and all sub CAs. The easiest way to get this is from a system where the wildcard certificate is already integrated. For example, the Sophos SG Firewall.

extract the root and sub CAs

To do this, simply go to the Sophos SG webadmin or user portal  with the Google Chrome browser and display the certificate.

Als erstens Exportierst du das Root CA.

Click on the Root CA. Than details and Copy to files

Save the certifiact as base 64

save it under the name CA1.cer

Repeat the steps for the two sub CAs.

build the certificate chain

Now you have to detach the single certificate and the private key from the wildcard package without a certificate chain. The easiest way to do this is with openssl in a Linux machine. I have a Windows subsystem for Linux on my computer. Copy the wildcard certificate and the 3 certificates CA1 to CA3 into the home directory of the Linux machine.

For Ubuntu:
Detach the public and private keys from the certificate.

sudo -s
openssl pkcs12 -in networkguy.pfx -clcerts -nokeys -out networkguyStar.cer
openssl pkcs12 -in networkguy.pfx -nocerts -nodes  -out networkguyStar.key

With ll you can now see that you now have the public key “networkguyStar.cer” and the private key “networkguyStar.key”.

Now we need to build a new wildcard certificate where the certificate chain has the order required by the Clearpass. The Clearpass wants the wildcard certificate first, then the sub CAs and finally the root CA.

The following command is required for this:

cat networkguyStar.cer CA3.cer CA2.cer CA1.cer > networkguyStarfullchain.cer

Now we have created a chain of certificates suitable for the Clearpass. :D

The Clearpass does not trust the Root or Sub CA

If the wildcard certificate contains a root or sub CA that Clearpass does not know, this must be imported. For this we can simply use the CA1.cer to CA3.cer.
To do this, go to Administration / Certificates / Trust List in the Policy Manager and then click on Add. Select Usage under -Select to Add– Other. Do this with CA1.cer, CA2.cer and CA3.cer.

Then have fun with your Clearpass. (A cool product) :D

Have a nice day!

6 Responses

  1. Hi Philip, i have a MM/MD topology and i want to use CPPM for guest portla captive. Why should i use a wildcard certificate and i inject it into the controllers and CPPM ? have you onether solution for this ?

    1. Hello Imed, with a wildcard certificate it is simply easiest, because you can use the wildcard certificate for the Clearpass and the MM/MD. You can also use any other trust certificate that contains the DNS name of your clearpass. If necessary, you can also use a self-signed certificate. But then the clients accessing the captive portal will get a certificate error.

Leave a Reply

Click on the button to load the content from

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.


ekahau Certified Survey Engineer
Post Categories
Post Archives