Just bought a cert from Thawte and am trying to make use of it for captive portal redirects. I've run into an issue in that, while the unit can import the host certificate fine, none of the captive portal client's recognize it as it's been signed by one of Thawte's new Intermediate CA's.
I read a technote in the discussion area that someone was able to bundle their Intermediate CA cert(s) into their original host cert just by copying/pasting the PEM text for the CA certs to the bottom of their host cert PEM file. I've tried this and while the cert with the CA data appended imports fine, the clients still doesn't recognize/see the Intermediate CA's when presented with the host certificate.
Anyone else run into this? If so, any suggestions? I've also opened a ticket with support at the same time.
I don't want to tread on support toes here but...
Let's do something checking
So you copied the intermediate certificate to the bottom of the client cert (wild card)?
And when you did that cut and paste, you now have two sets of "begin certificate" and "end certificate" in the new cert?
And that client cert is assigned to the same IP of (what is typically) the internal IP address of the firewall?
And the Captive Portal redirect is back on its self? (not to another IP?)
And the Thawte Root Cert is already supported/trusted by whatever browser you are using?
What does the browser say? In the certificate path, does it all seem to be okay?
Grrrr - it's always the stupid stuff that gets me.
Believe it or not, I think that all that was needed was a forced policy push after the certificate addition to do the trick. I was assuming that since the certificate add didn't trigger a commit, that it was accepting it without issue. I deleted the old cert entry, readded the intermediate CA cert to the client cert and readded it to the PA unit. This time, I forced a policy push by making + backing out a change so that I could force a commit. That seems to have done the trick.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!