Today I am going to talk about a problem with my company’s wildcard certificate.

Because I wanted to display the Clearpass captive portal without certificate errors. I tried to import our company wildcard certificate. And in doing so, I encountered the following problem:

Here we have the problem that the certificate chain for the Clearpass is in the wrong order. Many systems like the Aruba Mobility Controller or Sophos SG don’t seem to care if the chain goes from root to server certificate or from server certificate to root CA. But not the Clearpass :D

The solution

The only thing that helps here is to rebuild the certificate chain. First, we need the root CA and all sub CAs. The easiest way to get this is from a system where the wildcard certificate is already integrated. For example, the Sophos SG Firewall.

extract the root and sub CAs

To do this, simply go to the Sophos SG webadmin or user portal  with the Google Chrome browser and display the certificate.

Als erstens Exportierst du das Root CA.

Click on the Root CA. Than details and Copy to files

Save the certifiact as base 64

save it under the name CA1.cer

Repeat the steps for the two sub CAs.

build the certificate chain

Now you have to detach the single certificate and the private key from the wildcard package without a certificate chain. The easiest way to do this is with openssl in a Linux machine. I have a Windows subsystem for Linux on my computer. Copy the wildcard certificate and the 3 certificates CA1 to CA3 into the home directory of the Linux machine.

For Ubuntu:
Detach the public and private keys from the certificate.

sudo -s
openssl pkcs12 -in networkguy.pfx -clcerts -nokeys -out networkguyStar.cer
openssl pkcs12 -in networkguy.pfx -nocerts -nodes  -out networkguyStar.key

With ll you can now see that you now have the public key “networkguyStar.cer” and the private key “networkguyStar.key”.

Now we need to build a new wildcard certificate where the certificate chain has the order required by the Clearpass. The Clearpass wants the wildcard certificate first, then the sub CAs and finally the root CA.

The following command is required for this:

cat networkguyStar.cer CA3.cer CA2.cer CA1.cer > networkguyStarfullchain.cer

Now we have created a chain of certificates suitable for the Clearpass. :D

The Clearpass does not trust the Root or Sub CA

If the wildcard certificate contains a root or sub CA that Clearpass does not know, this must be imported. For this we can simply use the CA1.cer to CA3.cer.
To do this, go to Administration / Certificates / Trust List in the Policy Manager and then click on Add. Select Usage under -Select to Add– Other. Do this with CA1.cer, CA2.cer and CA3.cer.

Then have fun with your Clearpass. (A cool product) :D

Have a nice day!

The post Aruba Clearpass problem with certificate chain appeared first on Network Guy.