Controllerless Networks

I'm having troubles getting the full cert chain into my instant cluster. The chain works perfectly well for the clearpass part of the captive portal, but when uploading the same chain to the VC, only the server cert is added. Without the CA, this casues cert errors to be thrown by my clients.

I've tried PFX and pem formats, and fully verified the certs.

When I upload via airwave on pfx format, I only get the server cert.

When I remove airwave management and upload on the controller directly, I get the following error on any of the supported formats (pem, cer, crt): "cert_upload_convert_cert_error_txt "

It's only the captiveportal-login.mycompany.com part that throws the cert error after attempting login to the portal, where I only see the captive portal cert in the hierarchy. accessing the portal itself (clearpass.mycompany.com) works fine, no error, full chain shows. I can see the root and intermediates.

Does anyone have insight as to why the IAP is stripping the chain and only accepting the server cert? We use godaddy for our certs. my cert shows the godaddy g2 intermediate as the issuer, but most computers dont have t he godaddy intermediate cert in their trusted root CA's, and only instead of the godaddy Roots. This is why I need the full chain.

Hi Dave.

.PEM file need to contain the whole trust root (root CA, intermediate CA) and your cert + privete key in a specific order to be accepted.

From Aruba Instant User Guide:

Yup that is the proper order, however it is still not being accepted. The Intermediate and root are stripped, and the IAP only presents the captive portal cert without the chain, causing error.

We just had a power surge that forced a reboot of the switch the VC was connected to. the Cert is working now. Guess I just needed to reboot the cluster.