Sign-in Troubleshooting

Certificate Troubleshooting

CORE UI is accessed via HTTPS. Based on your browser and CORE server/partition settings the access may require one of the following:

  • Mutual certificate validation.
  • The browser-side or server-side certificate validation.
  • None of the above.

Based on the type of the enforced validation, your browser requires the following preparations:

  1. Prepare Browser for Server-side Certificate Validation.
  2. Prepare Browser for Client-side Certificate Validation.

Prepare Browser for Server-side Certificate Validation

To prepare your browser for the EP certificate validation, add the CORE Root CA certificate to the browser's trust certificates:

  1. On EP:
    1. Obtain the Unbound Root CA certificate: ucl root_ca -o ./ukc-ca.p7b
    2. Forward the certificate file to the Web Browser appliance's admin.
  2. On Browser appliance: Add the obtained certificate file to the authorities trusted by your web browser. This action is browser-specific:
    • Chrome or Edge on Windows:

      1. Enter "cert" in the Windows Cortana search.
      2. → Results of the search appear:

        Adding CORE CA certificate to Chrome or Edge - 1

      3. Click Manage user certificates.
      4. → The Certmgr application appears.

      5. Click  Trusted Root Certification Authorities ˃ Certificates ˃ All Tasks ˃ Import.
      6. Adding CORE CA certificate to Chrome or Edge - 2

        → The file explorer dialog appears.

      7. Browse to the ukc-ca.p7b file and open it.
      8. Tip
        By default, the Import dialog does not list .p7b files. To find the ukc-ca.p7b file, open the file-extension option and select .p7b:

        Adding CORE CA certificate to Chrome or Edge - 3

        → The Certificate store dialog appears.

      9. Specify the Trusted Root Certification Authorities as the designated certificate store:
      10. Adding CORE CA certificate to Chrome or Edge - 4

      11. Continue the importing by clicking the Next button.
      12. Click Finish.
      13. Click the refresh button in the top bar. Make sure you see the certificate issued to Unbound Root CA G<n>.
      14. Adding CORE CA certificate to Chrome or Edge - 5

Prepare Browser for Client-side Certificate Validation

To prepare your browser to provide its certificate to the EP server (if the targeted partition enforces certificate validation), perform the following:

  1. On EP:
    1. Generate the partition's client certificate with an explicit password. See ucl client create -m FULL for non-CORE Client. For example:
    2. ucl client create -m FULL --name ui --partition test --output ./ui-test.pfx --pfx_password ***********

    3. Forward the certificate file and its password to the Web Browser appliance's admin.
  2. On the browser's workstation: Add the obtained certificate file to the repository used by your web browser. This action is browser-specific:

Partition Roaming Troubleshooting

To switch from managing one partition to another when the No-cert feature is disabled (default) requires the following actions.

  1. You must log out from the current partition session.
  2. The Welcome dialog is presented.

    Note
    Since you are addressing the same URL, the previously chosen certificate is most likely cached by your browser. Instead of providing you with the list of available partitions, it chooses the cached certificate and presents the same partition again and again.

  3. Exit the browser.
  4. Reenter the browser in incognito (private) mode.
  5. Enter the URL of EP sign-in.
  6. The list of available certificates appears:

  7. Select the required certificate
  8. The Welcome dialog appears. The partition name is already set and cannot be changed.