Reset Search
 

 

Article

AP does not accept customers certificate for 802.1x

« Go Back

Information

 
TitleAP does not accept customers certificate for 802.1x
Symptoms
  • AP does not accept customers certificate with .pfx suffix
  • EWC Error message is "Credentials change rejected by AP"
  • Dot1x certificate and private key not match, or certificate expired
Environment
  • Identify Wireless
Cause
  • User certificate contains the "Bag Attribute" which AP doesn't support
  • Bag Attributes
        localKeyID: 01 00 00 00
    subject=/CN=AP-XX-01
    issuer=/DC=de/DC=wala/CN=wala-WHCA-CA
    -----BEGIN CERTIFICATE-----
    MIIFZTCCBE2gAwIBAgIKPlWS0wAAAAAA0jANBgkqhkiG9w0BAQsFADBBMRIwEAYK
    CZImiZPyLGQBGRYCZGUxFDASBgoJkiaJk/IsZAEZFgR3YWxhMRUwEwYDVQQDEwx3....

 
Resolution
  • Generate the certificate without the Bag Attribute
  • Remove the Bag Attribute from the certificate with openssl
             Here are the steps to remove the "Bag Attribute".
             openssl pkcs12 -in ap-xx-01.pfx -clcerts -nokeys -out ap-xx-01.orig.pem
             openssl pkcs12 -in ap-xx-01.pfx -nocerts -nodes  -out ap-xx-01.key
             openssl x509 -in ap-xx-01.orig.pem -out ap-xx-01.pem
             openssl pkcs12 -export -in ap-xx-01.pem  -inkey ap-xx-01.key -out ap-xx-01.new.pfx

            Now load the ap-xx-01.new.pfx to AP and it should work.

 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255