I was recently contacted by someone to assist with some maintenance on their Aruba ClearPass Policy Manager servers. One of those tasks was replacing their expiring, but everytime they went to replace it they got an error along the lines of Certificate chain is invalid. The expected order is Policy Manager Server, Sub CA and Root CA certificates even though the certificate files were valid
I got their PFX file and pulled it apart again with OpenSSL – for those running on Windows you can use the following commands to pull apart a PFX – each time it will ask you for the passphrase, you can include this in the command with -passin pass:
openssl pkcs12 -in <yourcertname>.pfx -nocerts -out cert.key -nodes
openssl pkcs12 -in <yourcertname>.pfx -nokeys -out cert.crt
Now the fix for this is in that message, we need to make sure that the certificates are in order – in this case the Root as before the Subordinate (Sub) CA certificate. You can open up the .cer file in your favourite text editor and simply move the certificates around making sure to grab everything including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– similar to what I have attached here (you don’t need the Bag Attributes as this is something windows adds)
After saving the tweaked certificate file which now has correctly ordered Sub and Root certificates, we can perform our import in ClearPass by going into ClearPass Policy Manager > Administration > Certificates > Certificate Store and then going Import Certificate, we then select the kind of certificate we are importing/replacing (in this case HTTPS RSA Certificate) and entering the details like below ensuring that we select the right certificate, private key and password.
Now we did try using the PFX, but it looks like it also had the incorrect order, which we can’t easily fix with notepad.
Hope that helps.
Leave a Reply