This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Bundle CA cert with Captive Portal cert?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Bundle CA cert with Captive Portal cert?

rahmant
Not applicable

‎11-12-2010 01:11 PM

Just bought a cert from Thawte and am trying to make use of it for captive portal redirects.  I've run into an issue in that, while the unit can import the host certificate fine, none of the captive portal client's recognize it as it's been signed by one of Thawte's new Intermediate CA's.


I read a technote in the discussion area that someone was able to bundle their Intermediate CA cert(s) into their original host cert just by copying/pasting the PEM text for the CA certs to the bottom of their host cert PEM file.  I've tried this and while the cert with the CA data appended imports fine, the clients still doesn't recognize/see the Intermediate CA's when presented with the host certificate.

Anyone else run into this?  If so, any suggestions?  I've also opened a ticket with support at the same time.

Thanks,

Tariq

0 Likes Likes
2 REPLIES 2

will2097
Not applicable

‎11-15-2010 12:07 AM

Hi,

I don't want to tread on support toes here but...

Let's do something checking Smiley Happy

So you copied the intermediate certificate to the bottom of the client cert (wild card)?

And when you did that cut and paste, you now have two sets of "begin certificate" and "end certificate" in the new cert?

And that client cert is assigned to the same IP of (what is typically) the internal IP address of the firewall?

And the Captive Portal redirect is back on its self? (not to another IP?)

And the Thawte Root Cert is already supported/trusted by whatever browser you are using?

What does the browser say? In the certificate path, does it all seem to be okay?

Will

0 Likes Likes

rahmant
Not applicable
In response to will2097

‎11-15-2010 06:59 AM

Grrrr - it's always the stupid stuff that gets me.

Believe it or not, I think that all that was needed was a forced policy push after the certificate addition to do the trick.  I was assuming that since the certificate add didn't trigger a commit, that it was accepting it without issue.  I deleted the old cert entry, readded the intermediate CA cert to the client cert and readded it to the PA unit.  This time, I forced a policy push by making + backing out a change so that I could force a commit.  That seems to have done the trick.

Tariq

0 Likes Likes
  • 2515 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks