Hi George

the final-cert.pem looks like this.

Is this the correct order of the chain?

Ofcourse, I deleted the Certficates and change the customer name.

Bag Attributes
    localKeyID: a hex key
subject=/C=CH/ST=a-State/L=a-Place/O=Customer AG/OU=IPM/CN=guest-wlan.Customer.com
issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
-----BEGIN CERTIFICATE-----
some text
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
issuer=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
-----BEGIN CERTIFICATE-----
some text
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
-----BEGIN CERTIFICATE-----
some text
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: a hex key
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,sometext

some text
-----END ENCRYPTED PRIVATE KEY-----

The exact same certificate that was loading fine in 7.4.121.0 does not work any more in 7.6.130.0.

I had exactly the same issue. Was advised to downgrade the WLC from 7.6 to 7.4. Install cert and then upgrade back to 7.6. But hardly ideal....

The certificate bundle was working in 7.4 but installation of the same cert bundle fails in 7.6.

Enabling the PKI debug, shows the following error.

> debug pm pki enable
> transfer download start

TFTP receive complete... Installing Certificate.
*TransferTask: Jun 15 13:12:25.068: sshpmCheckWebauthCert: Verification return code: 0

*TransferTask: Jun 15 13:12:25.068: Verification result text: unable to get issuer certificate

*TransferTask: Jun 15 13:12:25.068: Error at 1 depth: unable to get issuer certificate

*TransferTask: Jun 15 13:12:25.075: sshpmAddWebauthCert: Error decoding certificate, Deleting it.

Error installing certificate.

 AireOS 7.6 complains that the cert bundle does not contains the cert chain up to the root CA (depth 1 is the intermediate CA)

Until now (7.4), I didn't  include the top level root and it was fine.

So, I add the top level root certificate to the cert bundle and restart the transfer successfully.

TFTP receive complete... Installing Certificate.
*sshpmLscTask: Jun 15 13:13:15.736: sshpmLscTask: LSC Task received a message 4
*TransferTask: Jun 15 13:13:40.245: sshpmCheckWebauthCert: Verification return code: 1
*TransferTask: Jun 15 13:13:40.245: Verification result text: ok
*TransferTask: Jun 15 13:13:40.254: sshpmAddWebauthCert: Extracting private key from webauth cert and using bundled pkcs12 password.
*TransferTask: Jun 15 13:13:42.361: sshpmDecodePrivateKey: calling ssh_skb_decode()...
*TransferTask: Jun 15 13:13:44.461: sshpmDecodePrivateKey: SshPrivateKeyPtr after skb_decode: 0x2c14d454
*TransferTask: Jun 15 13:13:44.461: sshpmAddWebauthCert: got private key; extracting certificate...
*TransferTask: Jun 15 13:13:44.466: sshpmAddWebauthCert: extracted binary cert; doing x509 decode
*TransferTask: Jun 15 13:13:44.466: sshpmAddWebauthCert: doing x509 decode for 1322 byte certificate...
*TransferTask: Jun 15 13:13:44.470: sshpmAddWebauthCert: freeing x509 certificate...
*TransferTask: Jun 15 13:13:44.470: sshpmAddWebauthCert: adding cert/key to id table; current/max: 5/7
*TransferTask: Jun 15 13:13:44.470: sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<
*TransferTask: Jun 15 13:13:44.470: sshpmGetIdCertIndex: found match in row 4
*TransferTask: Jun 15 13:13:44.470: sshpmAddWebauthCert: deleting bsnSslWebauthCert (row 4)
*TransferTask: Jun 15 13:13:44.471: sshpmAddWebauthCert: freeing cert (fn: 0x10c903c8).
*TransferTask: Jun 15 13:13:44.471: sshpmAddWebauthCert: freeing key (fn: 0x11d54e14).
*TransferTask: Jun 15 13:13:44.471: sshpmAddWebauthCert: adding new cert to row 4 (bsnSslWebauthCert).
*TransferTask: Jun 15 13:13:44.471: sshpmAddWebauthCert: writing cert to /mnt/application/bsnSslWebauthCert.crt
*TransferTask: Jun 15 13:13:44.471: sshpmWriteCredentialFile: called to write </mnt/application/bsnSslWebauthCert.crt>; certptr 0x2cd599c0, length 1322
*TransferTask: Jun 15 13:13:44.471: sshpmAddWebauthCert: exporting private key
*TransferTask: Jun 15 13:13:44.475: sshpmAddWebauthCert: writing key to /mnt/application/bsnSslWebauthCert.prv
*TransferTask: Jun 15 13:13:44.475: sshpmWriteCredentialFile: called to write </mnt/application/bsnSslWebauthCert.prv>; certptr 0x2cd58958, length 1192
*TransferTask: Jun 15 13:13:44.475: sshpmAddWebauthCert: Unlinking the previously created P12-PEM file webauth_p12.pem
*TransferTask: Jun 15 13:13:44.475: sshpmAddWebauthCert: Created File webauth_p12.pem

Certificate installed.
                        Reboot the switch to use new certificate.

I ran in the same issue. The chain bundle provided from Thawte seems to be wrong

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AR2051

After changing the root to the first one of this list, it worked for me

https://www.thawte.com/roots/Q

best regards

Alfred