I've recently installed ssl certificates for our web auth guest interface on our WLC's. I discoverd the they required a Level 2 certificae to work properly. We are getting an untrusted certicate on our 802.1x ssids that authenicate against a 5500 ASA..A certificate was insatlled and has an error, show the certificate as untrusted, my questionis, does the 5500 ASA require a level 2 certifate as well?
No, it shouldn't. Your SSL session, if you're using webauth on the WLC, is between the client and the controller. If you've installed a cert on the controller, make sure:
The certificate installed on the WLC's works for our guest web authentication through the built in portal. It's the 802.1x authenication through the ASA that gives the warning about untrusted certificate. The certificate we installed on the WLC's only had the 1 intermediate CA, that is how the level 2 comes. Our certificate vendor initally supplied a level 3 certificate that contained an additional cross_intermediate. There was very specific information from Cisco about the certificate for the WLC had to be a level 2, but I have not been able to find it for the ASA.
Sorry, I misread your original post and I now I think I understand what you mean.
Certificate trust is based on what CA certs the client has installed in its CTL--there are a lot that are there when the client is installed and periodically they are updated during software updates. The CTL may also contain root CA certs that you install as an administator.
Who is signing your ASA's cert? Is that authority trusted on the client?
Have you inspected the certificate to ensure that the signing authority presented on the cert matches a trusted root that is installed on your clients? Does a failing client offer you any details about why it doesn't trust the cert?
You also may want to post this in the security forum as it may be related to the ASA certificate.