Security

Hi,

I have to update Cert on a clearpass cluster. I currently see three ert expiry notifications: Radius Server Cert will expire x days, Server Cert will expire x days, 1 Service Cert will expire in x days. 

I currently see only one Service cert on the clearpass. It has the subject name of CPPM.xyz.com. The cert has SAN which consist of CPPM.xyz.com, CPPM-01.xyz.com, CPPM-02.xyz.com. 

My question is if I get only one cert with the SAN and apply it as Service certificate would that be enough or do I need to get and apply any separate certificates for radius , HTTPS etc.

RADIUS certs are completely different from HTTPS server certs.
so you need to update your RADIUS and the HTTPS server cert with the corresponding updated certs.

Now for the service cert, what is its usages? (RADIUS, database, RADSEC, HTTPS, etc)
what is the subject name and SAN for your current server cert?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Dec 04, 2022 07:48 PM
From: Fawad A
Subject: Cert update

Hi,

I have to update Cert on a clearpass cluster. I currently see three ert expiry notifications: Radius Server Cert will expire x days, Server Cert will expire x days, 1 Service Cert will expire in x days.

I currently see only one Service cert on the clearpass. It has the subject name of CPPM.xyz.com. The cert has SAN which consist of CPPM.xyz.com, CPPM-01.xyz.com, CPPM-02.xyz.com.

My question is if I get only one cert with the SAN and apply it as Service certificate would that be enough or do I need to get and apply any separate certificates for radius , HTTPS etc.

If your EAP/Radius Server cert expires and you use EAP authentication on clients, make sure that you get a renewal from the exact same certificate authority, or otherwise your clients will probably no longer connect. If the x days is soon, I'd recommend you to consult your Aruba partner as soon as possible in order to make the correct decisions and minimize the risk that you loose client connectivity and a possible hard time to get everything connected again. If you need to deploy a new trusted root on all of your clients, that may need time/planning/scheduling.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 04, 2022 07:48 PM
From: Fawad A
Subject: Cert update

Hi,

I have to update Cert on a clearpass cluster. I currently see three ert expiry notifications: Radius Server Cert will expire x days, Server Cert will expire x days, 1 Service Cert will expire in x days.

I currently see only one Service cert on the clearpass. It has the subject name of CPPM.xyz.com. The cert has SAN which consist of CPPM.xyz.com, CPPM-01.xyz.com, CPPM-02.xyz.com.

My question is if I get only one cert with the SAN and apply it as Service certificate would that be enough or do I need to get and apply any separate certificates for radius , HTTPS etc.

Hi faadi,

Without knowing all the details necessary to be sure I am making the assumption that the certificate used serves both your RADIUS/EAP Server Certificate, HTTPS(either RSA or ECC?) Server Certificate. It sounds like it is also used as a Service Certificate. You can verify this by checking the details of each certificate to see if the serial number is the same on each one.

If they are different then to best help we might need more details about the RADIUS/EAP Server Certificate in particular. Depending on your setup (in most cases) this is the one which would cause detrimental impact if you let it expire.

If they are the same, get yourself a certificate signed in the same way with CPPM, CPPM-01, and CPPM-02 and import it for those three purposes. To replace those three expiring certificates you will need to import the certificate three times.


Original Message:
Sent: Dec 04, 2022 07:48 PM
From: Fawad A
Subject: Cert update

Hi,

I have to update Cert on a clearpass cluster. I currently see three ert expiry notifications: Radius Server Cert will expire x days, Server Cert will expire x days, 1 Service Cert will expire in x days.

I currently see only one Service cert on the clearpass. It has the subject name of CPPM.xyz.com. The cert has SAN which consist of CPPM.xyz.com, CPPM-01.xyz.com, CPPM-02.xyz.com.

My question is if I get only one cert with the SAN and apply it as Service certificate would that be enough or do I need to get and apply any separate certificates for radius , HTTPS etc.

I created CSR with the subject name of CPPM.xyz.com. The SAN consist of both servers in cluster as well. SO the SAN is CPPM.xyz.com, CPPM-01.xyz.com, CPPM-02.xyz.com.

Now after receing cert I am only able to succesfully import it as Service Certificate. The servers are still showing cert expired. When I try to update certifictae of a server, say CPPM-01.xyz.com, it asks for the the private key, which I don't have.

When I created CSR it did not give any options to generate separate private key. When I select 'Upload certificate and use saved private key, it gives error "Private Key File is not available in the system". I have to do it for both servers. Now I am not sure :
- where to get these private keys?
- Which certs to update beside Service Cert,  "Radius Server Cert ", 'SSL Server Cert" ?

Btw..I have also created a new CSR just to check if there is an option to generate a private key. 
Original Message:
Sent: Dec 05, 2022 06:00 PM
From: Matthew Sutherland
Subject: Cert update

Hi faadi,

Without knowing all the details necessary to be sure I am making the assumption that the certificate used serves both your RADIUS/EAP Server Certificate, HTTPS(either RSA or ECC?) Server Certificate. It sounds like it is also used as a Service Certificate. You can verify this by checking the details of each certificate to see if the serial number is the same on each one.

If they are different then to best help we might need more details about the RADIUS/EAP Server Certificate in particular. Depending on your setup (in most cases) this is the one which would cause detrimental impact if you let it expire.

If they are the same, get yourself a certificate signed in the same way with CPPM, CPPM-01, and CPPM-02 and import it for those three purposes. To replace those three expiring certificates you will need to import the certificate three times.


Original Message:
Sent: Dec 04, 2022 07:48 PM
From: Fawad A
Subject: Cert update

Hi,

I have to update Cert on a clearpass cluster. I currently see three ert expiry notifications: Radius Server Cert will expire x days, Server Cert will expire x days, 1 Service Cert will expire in x days.

I currently see only one Service cert on the clearpass. It has the subject name of CPPM.xyz.com. The cert has SAN which consist of CPPM.xyz.com, CPPM-01.xyz.com, CPPM-02.xyz.com.

My question is if I get only one cert with the SAN and apply it as Service certificate would that be enough or do I need to get and apply any separate certificates for radius , HTTPS etc.

Are you trying to import the certificate onto the same ClearPass server from which you generated the CSR? If the CSR is generated from ClearPass it keeps a copy of the private key file which can be used during the import of the certificate. Without this private key you don't have a certificate.

Can you try importing onto the other server?

You can generate your CSR from outside of ClearPass using a tool such as openssl. 

I like to keep all my certificates up to date. Where the certificate is not used, such as in my case the RadSec certificate, I will replace it with a self signed certificate. 

I typically do not utilise the Service Certificate (unless I am testing out different domains) so the certificates I replace frequently are the Radius/EAP Certificate and the HTTPS Certificate.

It appears that in previous versions you were able to export the private key file alongside the CSR. This is no longer possible in the most recent versions of ClearPass.
Original Message:
Sent: Dec 13, 2022 07:35 AM
From: Fawad A
Subject: Cert update

I created CSR with the subject name of CPPM.xyz.com. The SAN consist of both servers in cluster as well. SO the SAN is CPPM.xyz.com, CPPM-01.xyz.com, CPPM-02.xyz.com.

Now after receing cert I am only able to succesfully import it as Service Certificate. The servers are still showing cert expired. When I try to update certifictae of a server, say CPPM-01.xyz.com, it asks for the the private key, which I don't have.

When I created CSR it did not give any options to generate separate private key. When I select 'Upload certificate and use saved private key, it gives error "Private Key File is not available in the system". I have to do it for both servers. Now I am not sure :
- where to get these private keys?
- Which certs to update beside Service Cert,  "Radius Server Cert ", 'SSL Server Cert" ?

Btw..I have also created a new CSR just to check if there is an option to generate a private key. 
Original Message:
Sent: Dec 05, 2022 06:00 PM
From: Matthew Sutherland
Subject: Cert update

Hi faadi,

Without knowing all the details necessary to be sure I am making the assumption that the certificate used serves both your RADIUS/EAP Server Certificate, HTTPS(either RSA or ECC?) Server Certificate. It sounds like it is also used as a Service Certificate. You can verify this by checking the details of each certificate to see if the serial number is the same on each one.

If they are different then to best help we might need more details about the RADIUS/EAP Server Certificate in particular. Depending on your setup (in most cases) this is the one which would cause detrimental impact if you let it expire.

If they are the same, get yourself a certificate signed in the same way with CPPM, CPPM-01, and CPPM-02 and import it for those three purposes. To replace those three expiring certificates you will need to import the certificate three times.


Original Message:
Sent: Dec 04, 2022 07:48 PM
From: Fawad A
Subject: Cert update

Hi,

I have to update Cert on a clearpass cluster. I currently see three ert expiry notifications: Radius Server Cert will expire x days, Server Cert will expire x days, 1 Service Cert will expire in x days.

I currently see only one Service cert on the clearpass. It has the subject name of CPPM.xyz.com. The cert has SAN which consist of CPPM.xyz.com, CPPM-01.xyz.com, CPPM-02.xyz.com.

My question is if I get only one cert with the SAN and apply it as Service certificate would that be enough or do I need to get and apply any separate certificates for radius , HTTPS etc.

If the certificate and key are in the ClearPass Certificate Store, you should be able to export the certificate including private key, then import it again as HTTPS certificate.

The RADIUS Server Cert normally should be signed by a private CA, the HTTP Server Certificate by a pubic CA. These have different purposes and selecting the wrong one can cause service disruptions now or on the long term.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Dec 13, 2022 07:35 AM
From: Fawad A
Subject: Cert update

I created CSR with the subject name of CPPM.xyz.com. The SAN consist of both servers in cluster as well. SO the SAN is CPPM.xyz.com, CPPM-01.xyz.com, CPPM-02.xyz.com.

Now after receing cert I am only able to succesfully import it as Service Certificate. The servers are still showing cert expired. When I try to update certifictae of a server, say CPPM-01.xyz.com, it asks for the the private key, which I don't have.

When I created CSR it did not give any options to generate separate private key. When I select 'Upload certificate and use saved private key, it gives error "Private Key File is not available in the system". I have to do it for both servers. Now I am not sure :
- where to get these private keys?
- Which certs to update beside Service Cert,  "Radius Server Cert ", 'SSL Server Cert" ?

Btw..I have also created a new CSR just to check if there is an option to generate a private key. 
Original Message:
Sent: Dec 05, 2022 06:00 PM
From: Matthew Sutherland
Subject: Cert update

Hi faadi,

Without knowing all the details necessary to be sure I am making the assumption that the certificate used serves both your RADIUS/EAP Server Certificate, HTTPS(either RSA or ECC?) Server Certificate. It sounds like it is also used as a Service Certificate. You can verify this by checking the details of each certificate to see if the serial number is the same on each one.

If they are different then to best help we might need more details about the RADIUS/EAP Server Certificate in particular. Depending on your setup (in most cases) this is the one which would cause detrimental impact if you let it expire.

If they are the same, get yourself a certificate signed in the same way with CPPM, CPPM-01, and CPPM-02 and import it for those three purposes. To replace those three expiring certificates you will need to import the certificate three times.


Original Message:
Sent: Dec 04, 2022 07:48 PM
From: Fawad A
Subject: Cert update

Hi,

I have to update Cert on a clearpass cluster. I currently see three ert expiry notifications: Radius Server Cert will expire x days, Server Cert will expire x days, 1 Service Cert will expire in x days.

I currently see only one Service cert on the clearpass. It has the subject name of CPPM.xyz.com. The cert has SAN which consist of CPPM.xyz.com, CPPM-01.xyz.com, CPPM-02.xyz.com.

My question is if I get only one cert with the SAN and apply it as Service certificate would that be enough or do I need to get and apply any separate certificates for radius , HTTPS etc.