cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
769
Views
10
Helpful
6
Replies

SSL problems with VeriSign certificates

patrickdonlon
Level 1
Level 1

I'm running an WLAN with a pair of ACS3.3(2) servers and 1200 series APs. I use AES encryption and Peap MS-chap authentication.

Everything was running fine until I renewed the SSL cert for the two servers. After the new cert was installed a large number of clients could not connect. A workaround was to check the option "Allow intermediate certificates" on the client. Some clients don't even have this option and I didn't want to have to reconfigure all the clients (in the 1000s) unless absolutely necessary as most don't have SMS yet. I ended up installing a certificate without an intermediate CA from RapidSSL and it works as before.

I had a TAC case open but this only came to the conclusion that the new certificate was the problem.

Has anyone else got this working or is this unsupported?

6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

The problem is that Verisign gave you a chained cert. They will stop issuing root unchained certs in the end of September. So your best bet is to go with RapidSSL or if you really want a Verisign cert, is to call them and request one. They will tell you that they will no longer support it in the future.

The WLC doesn't support any chained certs only root CA unchained certs.

Hope this helps.

-Scott
*** Please rate helpful posts ***

I got in touch with Verisign and have now been issued with unchained certs. They also said end of Sept is when they stop doing this.

I wonder if Cisco is working on integrating this into the WLC?

The only thing with this is that the wlc has to be able to look up and verify the chained cert. So far, I haven't heard that they will support this since you can get unchained root certs.

-Scott
*** Please rate helpful posts ***

I have solved one problem and it seems created even more. The XP clients in more than one country can't authenticate unless they uncheck the validate certificate option.

Does this mean the cert is not correctly installed on the ACS server?

I've been sent screen shots of the client config and they would accept a cert when it was configured. Is this normal or is again a server issue?

No... check the client side, they might have to check one of the the Trusted Root Certification Authorities.

-Scott
*** Please rate helpful posts ***

Just thought I'd follow up on this one, it turned out the Rapid SSL wasn't trusted on the clients, probably as it was a month trial. The Verisign unchained cert fixed the last of the problems,

Thanks

Patrick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: