NAC Guest Server - Adding Digital Certificate

Unanswered Question
Dec 8th, 2009


I have a nac guest server 2.0.1 and i dont want the clients to get a warning message when they connect to the site so i obtained a cert file from the customer's internal CA.

The signed cert is in .pem format. The customer's security dudes were expecting me to have to enter a password when I applied the cert, however there is no option to do this when you upload the pem file via the GUI.

I got an error saying somethig like "the certificate does not match the private key", so I reboot the server and viola the ssl service is broken. I had to restore the original self signed cert from a backup to get SSL connections to the server working again.

So this is annoying me, how or where do I enter a password to get the CA signed certificate working?

This URL describes a process of combining the signed certificate from the CA with the private key to create the final cert using a password via the CLI.

Is this process applicable to the NAC Guest Server? Seems to me like there is something missing from the doco to get this working...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
j-mccarthy Wed, 07/21/2010 - 06:24

No sorry, never got it to work and gave up on it.

When I rebooted the NGS that time and broke SSL I had the box set to accept SSL connections only so I couldnt even browse back into it.

However, there is a backup of the self signed cert on the box itself in a different directory, you can get at it via ssh. I logged in via ssh, found the backup cert, copied it over the cert I uploaded and rebooted. Then I could browse into it again.

Lesson learnt - make sure you have HTTP enabled before you reboot the box with a new SSL cert Save you a bit of grief.

MikeFulstow Wed, 05/04/2011 - 17:43

I have the same issue. Can you please tell me where on the NAC Guest Servier appliance the current imported and original self signed certificate are stored please? Sace me lots of time with find and grep :-)


This Discussion