*TransferTask: Feb 12 12:26:05.987: Adding cert (7728 bytes) with certificate key password.
*TransferTask: Feb 12 12:26:06.015: sshpmCheckWebauthCert: Verification return code: 0
*TransferTask: Feb 12 12:26:06.015: Verification result text: unable to get issuer certificate
*TransferTask: Feb 12 12:26:06.015: Error at 2 depth: unable to get issuer certificate
*TransferTask: Feb 12 12:26:06.027: sshpmAddWebauthCert: Error decoding certificate, Deleting it.
*TransferTask: Feb 12 12:26:06.027: RESULT_STRING: Error installing certificate.
*TransferTask: Feb 12 12:26:06.027: RESULT_CODE:12
*TransferTask: Feb 12 12:26:06.027: Memory overcommit policy restored from 1 to 0
*emWeb: Feb 12 12:26:07.041: sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<
*emWeb: Feb 12 12:26:07.041: sshpmGetIdCertIndex: found match in row 4
*emWeb: Feb 12 12:26:07.041: sshpmGetCID: called to evaluate <bsnSslWebauthCert>
*emWeb: Feb 12 12:26:07.041: sshpmGetCID: comparing to row 0, CA cert >bsnOldDefaultCaCert<
When you open the cert it does not appear to have any problem and the cert will look perfect. You OS will also not recognize it as invalid, this is because your laptop already has the Root and the Intermediate Certificate installed and even if the cert is not correctly chained it marks it as valid unlike the WLC.
One you open the certificate in a notepad you will see the following format:
Server Cert >>> Intermediate Cert >>> Root Cert (Generally the Root Cert should validate itself i.e the Root Cert is Root CA issuing itself a cert like below, where the issuer and the issued to is the same.)
localKeyID: 3B DB 85 15 63 AF CA B7 57 27 4E A3 E5 0B 84 32 1D AC 06 18
issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA – G2
Bag Attributes: <No Attributes>
subject=/C=US/O=thawte, Inc./CN=thawte SSL CA – G2
issuer=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. – For authorized use only/CN=thawte Primary Root CA
Bag Attributes: <No Attributes>
subject=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. – For authorized use only/CN=thawte Primary Root CA
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddressfirstname.lastname@example.org
So if we go through the certificate we see the certificate being issued to XY.com.au by thawte SSL CA – G2 (Intermediate CA).
Down the chain we see the Intermediate CA cert, cert issue to thawte SSL CA – G2 by thawte Primary Root CA (Can be a Root or another Intermediate CA).
Further down the chain we see thawte Primary Root CA being issued a cert by Thawte Premium Server CA and there is no other cert following this.
So the problem here is either thawte Primary Root CA can be a Root CA or an Intermediate CA. If it is a Root CA, the last cert is chain should had been for thawte Primary Root CA issued by thawte Primary Root CA itself.
If it is an intermediate CA, there should have been another cert down the chain, issued to Thawte Premium Server CA by itself, it being the Root.
In this scenario the WLC is looking for the Root Cert which is not there is the chain and thus marks the certificate as invalid.
How to fix this:
Thawte do provide the Root CA and Intermediate CA cert on its website from where you can download the missing cert easily.
So the fix would be either make thawte Primary Root CA as the Root CA and download the cert file for the Thawte website and replace the last cert in the chain, so that we have the cert for thawte Primary Root CA issued by thawte Primary Root CA.
Or, keep the same chain and download the Root CA cert for Thawte Premium Server CA and add it at the end of the chain so that the certificate chain is complete.
Once the chain is complete please follow the Cisco document to compile the cert along with the private key and get the final cert.
Please refer to the previous posts on certs:
Hope this was helpful.