03-05-2012 02:03 PM - edited 07-03-2021 09:43 PM
I've recently installed ssl certificates for our web auth guest interface on our WLC's. I discoverd the they required a Level 2 certificae to work properly. We are getting an untrusted certicate on our 802.1x ssids that authenicate against a 5500 ASA..A certificate was insatlled and has an error, show the certificate as untrusted, my questionis, does the 5500 ASA require a level 2 certifate as well?
03-05-2012 06:46 PM
rschwart,
No, it shouldn't. Your SSL session, if you're using webauth on the WLC, is between the client and the controller. If you've installed a cert on the controller, make sure:
Justin
03-06-2012 06:39 AM
The certificate installed on the WLC's works for our guest web authentication through the built in portal. It's the 802.1x authenication through the ASA that gives the warning about untrusted certificate. The certificate we installed on the WLC's only had the 1 intermediate CA, that is how the level 2 comes. Our certificate vendor initally supplied a level 3 certificate that contained an additional cross_intermediate. There was very specific information from Cisco about the certificate for the WLC had to be a level 2, but I have not been able to find it for the ASA.
03-06-2012 08:33 AM
rschwart,
Sorry, I misread your original post and I now I think I understand what you mean.
Certificate trust is based on what CA certs the client has installed in its CTL--there are a lot that are there when the client is installed and periodically they are updated during software updates. The CTL may also contain root CA certs that you install as an administator.
Who is signing your ASA's cert? Is that authority trusted on the client?
Justin
03-07-2012 06:20 AM
The certificate is from GoDaddy, that is a trusted authority.
03-07-2012 08:29 AM
rschwart,
Have you inspected the certificate to ensure that the signing authority presented on the cert matches a trusted root that is installed on your clients? Does a failing client offer you any details about why it doesn't trust the cert?
You also may want to post this in the security forum as it may be related to the ASA certificate.
Justin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide