ASA SSL Certificate error on wireless

rschwart · ‎03-05-2012

I've recently installed ssl certificates for our web auth guest interface on our WLC's. I discoverd the they required a Level 2 certificae to work properly. We are getting an untrusted certicate on our 802.1x ssids that authenicate against a 5500 ASA..A certificate was insatlled and has an error, show the certificate as untrusted, my questionis, does the 5500 ASA require a level 2 certifate as well?

Justin Kurynny · ‎03-05-2012

rschwart,

No, it shouldn't. Your SSL session, if you're using webauth on the WLC, is between the client and the controller. If you've installed a cert on the controller, make sure:

The certificate you installed is chained all the way to the root CA; that is, make sure you've merged the WLC's issued cert, the Root CA's cert and any intermediate certs and combine them into one large cert using OpenSSL. Cisco has stated that you can only have one intermediate CA in the chain, but I've heard reports of it working with two Intermediates--either way, you're best to try it with maximum 1 to avoid issues
Make sure that the Root CA that signed your WLC's public cert is trusted on the clients. This means that you have to request a cert from a public authority. I've had the most luck with Digicert, and that's generally who TAC recommends.

Justin

rschwart · ‎03-06-2012

The certificate installed on the WLC's works for our guest web authentication through the built in portal. It's the 802.1x authenication through the ASA that gives the warning about untrusted certificate. The certificate we installed on the WLC's only had the 1 intermediate CA, that is how the level 2 comes. Our certificate vendor initally supplied a level 3 certificate that contained an additional cross_intermediate. There was very specific information from Cisco about the certificate for the WLC had to be a level 2, but I have not been able to find it for the ASA.

Justin Kurynny · ‎03-06-2012

rschwart,

Sorry, I misread your original post and I now I think I understand what you mean.

Certificate trust is based on what CA certs the client has installed in its CTL--there are a lot that are there when the client is installed and periodically they are updated during software updates. The CTL may also contain root CA certs that you install as an administator.

Who is signing your ASA's cert? Is that authority trusted on the client?

Justin

rschwart · ‎03-07-2012

The certificate is from GoDaddy, that is a trusted authority.

Justin Kurynny · ‎03-07-2012

rschwart,

Have you inspected the certificate to ensure that the signing authority presented on the cert matches a trusted root that is installed on your clients? Does a failing client offer you any details about why it doesn't trust the cert?

You also may want to post this in the security forum as it may be related to the ASA certificate.

Justin