Security

Hello community,

I've implemented a ClearPass instance preparing it firstly to provide a landing page for guest registration. Following best practices I've added to all nodes a public wildcard certificate for RSA HTTPS. Doing this I've also added certificate provider cert-chain to CPPM Trust List.

Now I'm trying to implement EST certficate enrollment for Aruba switches to be able to connect NAD's through RadSec without carrying about certificate expiration.

I've added Onboard as a sub-ca signed by our PKI-Root (different, private domain opposite to public cert. containing our public domain).

Then I've add a TA-profile on a AOS-S switch (2930M running WC.16.11.0027) executing following commands:

-------------------------------------------

Did you add the root cert to the switch in its trust? If not, then try that next. If its there, then the cert chaining may be off. See attached a guide we wrote up quick for an EST enrollment via ClearPass for RADSEC.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
------------------------------

Hello Dustin,

Thank you for quick reply and the how-to document (the pictures are very low resolution, I can't read it). At first sight I saw that you use HTTPS certificates issued from Onboard PKI which is a root. This will work in lab but in a production presenting a landing page for self-register or register with a unknown certificate issuer will pop up warnings on guest devices - that's why I've implemented public certificate which is trusted from almost every OS cert-store.  You can bet the certificate provider wont let me doing a sub-ca on behalf of their name ;-) 

So the question is can I use separate certificates for HTTPS and EST? Maybe with other FQDN's, ports on EST-settings on the switch, whatsoever?

Best Regards,

Greg

-------------------------------------------

Original Message:
Sent: May 06, 2026 10:11 AM
From: DB86
Subject: ClearPass 6.12.7 problem with EST roll-out

Did you add the root cert to the switch in its trust? If not, then try that next. If its there, then the cert chaining may be off. See attached a guide we wrote up quick for an EST enrollment via ClearPass for RADSEC.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
------------------------------

Yea i get thats a lab guide, but the issuer of the cert would be your public CA your correct.

Yea that shouldnt be a problem. As long as the device your using with EST trusts the issuer of the certificates, through configuration or out of the box, it should be fine.

I would also not use wildcard certificates as they are not secure, and becoming more and more unsupported.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: May 06, 2026 10:29 AM
From: Greg83
Subject: ClearPass 6.12.7 problem with EST roll-out

Hello Dustin,

Thank you for quick reply and the how-to document (the pictures are very low resolution, I can't read it). At first sight I saw that you use HTTPS certificates issued from Onboard PKI which is a root. This will work in lab but in a production presenting a landing page for self-register or register with a unknown certificate issuer will pop up warnings on guest devices - that's why I've implemented public certificate which is trusted from almost every OS cert-store.  You can bet the certificate provider dont let me doing a sub-ca behalf their name ;-) 

So the question is can I use separate certificates for HTTPS and EST? Maybe with other FQDN's, ports on EST-settings on the switch, whatsoever?

Best Regards,

Greg

Hello Dustin,

Okay, so I'll try to get cert-chain of public CA onto the switch (EST connection) and after that enroll PKI-certificates (RadSec connection). It may take few days but I'll surely give a feedback.

Best regards,

-------------------------------------------

Original Message:
Sent: May 06, 2026 11:07 AM
From: DB86
Subject: ClearPass 6.12.7 problem with EST roll-out

Yea i get thats a lab guide, but the issuer of the cert would be your public CA your correct.

Yea that shouldnt be a problem. As long as the device your using with EST trusts the issuer of the certificates, through configuration or out of the box, it should be fine.

I would also not use wildcard certificates as they are not secure, and becoming more and more unsupported.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
------------------------------


Original Message:
Sent: May 06, 2026 10:29 AM
From: Greg83
Subject: ClearPass 6.12.7 problem with EST roll-out

Hello Dustin,

Thank you for quick reply and the how-to document (the pictures are very low resolution, I can't read it). At first sight I saw that you use HTTPS certificates issued from Onboard PKI which is a root. This will work in lab but in a production presenting a landing page for self-register or register with a unknown certificate issuer will pop up warnings on guest devices - that's why I've implemented public certificate which is trusted from almost every OS cert-store.  You can bet the certificate provider dont let me doing a sub-ca behalf their name ;-) 

So the question is can I use separate certificates for HTTPS and EST? Maybe with other FQDN's, ports on EST-settings on the switch, whatsoever?

Best Regards,

Greg

Original Message:
Sent: May 06, 2026 10:11 AM
From: DB86
Subject: ClearPass 6.12.7 problem with EST roll-out

Did you add the root cert to the switch in its trust? If not, then try that next. If its there, then the cert chaining may be off. See attached a guide we wrote up quick for an EST enrollment via ClearPass for RADSEC.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos

Hello,

So I've tried some other setups, none of it was successful:

1. Changed HTTPS certificate to PKI certificate, created a new ta-profile with root-cert of our PKI, logging shows "EST profile: est-onboard because of CACERTS curl error
2. Changed HTTPS certificate to PKI certificate, created a new ta-profile with root_PKI +intermediate_CPPM bulk from CPPM, logging shows "EST profile: est-onboard because of CACERTS curl error

-------------------------------------------

Original Message:
Sent: May 07, 2026 03:45 AM
From: Greg83
Subject: ClearPass 6.12.7 problem with EST roll-out

Hello Dustin,

Okay, so I'll try to get cert-chain of public CA onto the switch (EST connection) and after that enroll PKI-certificates (RadSec connection). It may take few days but I'll surely give a feedback.

Best regards,

Original Message:
Sent: May 06, 2026 11:07 AM
From: DB86
Subject: ClearPass 6.12.7 problem with EST roll-out

Yea i get thats a lab guide, but the issuer of the cert would be your public CA your correct.

Yea that shouldnt be a problem. As long as the device your using with EST trusts the issuer of the certificates, through configuration or out of the box, it should be fine.

I would also not use wildcard certificates as they are not secure, and becoming more and more unsupported.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos


Original Message:
Sent: May 06, 2026 10:29 AM
From: Greg83
Subject: ClearPass 6.12.7 problem with EST roll-out

Hello Dustin,

Thank you for quick reply and the how-to document (the pictures are very low resolution, I can't read it). At first sight I saw that you use HTTPS certificates issued from Onboard PKI which is a root. This will work in lab but in a production presenting a landing page for self-register or register with a unknown certificate issuer will pop up warnings on guest devices - that's why I've implemented public certificate which is trusted from almost every OS cert-store.  You can bet the certificate provider dont let me doing a sub-ca behalf their name ;-) 

So the question is can I use separate certificates for HTTPS and EST? Maybe with other FQDN's, ports on EST-settings on the switch, whatsoever?

Best Regards,

Greg

Hi,

I am a co-worker of Greg and working together with him on the project.

Yes we have installed the Sectigo Root R46 CA for the HTTPS Wildcard Cert installed on the CPPM for the Web GUI and Captive Portal on the 2930M, which is acting up, in different ways (tftp, sftp and the WebGUI).

I noticed that the 2930M always shows a different modulus for the root than openssl on the tftp/sftp server and the AOS-CX Switch where EST enrollment (and consequently radsec) works.

It shows the modulus prefixed and postfixed with some bytes from the ASN.1 structure which don't belong to the modulus. I have tried to import the same cert on my own 2530 at home and see the same wrong modulus in current firmware images but correct in the ancient YA.16.03.0004 from 2017.
I this tried to install the oldest Image for the 2930M I could find (WC.16.04.0018 from 2019) but it showed the same wrong modulus (and had no EST enrollment)...
I have opened a support case for this and am still in the phase to provide tech log and whatnot... let's hope we get this to somebody who understands the ASN.1 parsing problem.

The question is, whether the wrong modulus is being used to check signatures on the chain (which would explain out TLS handshake problems) or it is just a display bug and sth. else is wrong with our CPPM, which the AOS-CX Switch doesn't care about.

So has anybody gotten a 2930M enrolled to an EST capable CA? And if yes, does the modulus shown for the TA with sh cry pki ta-profile <name> the same as with openssl x509 -text -noout -in <path-to-pem>?

Regards,

Joachim

-------------------------------------------

Original Message:
Sent: May 06, 2026 10:11 AM
From: DB86
Subject: ClearPass 6.12.7 problem with EST roll-out

Did you add the root cert to the switch in its trust? If not, then try that next. If its there, then the cert chaining may be off. See attached a guide we wrote up quick for an EST enrollment via ClearPass for RADSEC.

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
------------------------------

I've readed a little bit (ressources for AOS-S switche are hard to find...). When I get it right, I need two TA-Profiles - one with root cert. for public certificate (uploaded automaticaly from ClearPass while radius host configured with clearpass), and second with root cert. of our PKI - imported with tftp. After that I've used following commands:
copy tftp ta-certificate enroll-ta <TFTP-SERVER> <Chain-Bundle PEM, bottom-first cert. erased>
est-server "est-onboard" https://<FQDN with public cert. domain>/.well-known/est/ca:10 (EST URI from sub-CA)
est-server est-onboard user-name <guest-username> secret <guest-username-password>
crypto pki identity-profile <profile-name> subject common-name <CN> org <ORG> locality <LOCATION> state <STATE> country <COUNTRY-CODE>
crypto pki enroll-est-certificate est-onboard certificate-name est-cert ta-profile "enroll-ta" usage radsec-client

Sadly I get still errors:
Logging:

Debugs (est, crypto) from buffer -r:

Findings:
- Switch is unable to get right root certificate to validate (right cert. was imported?)
- CURL URL is functioning in Browser, through browser I get p7m cert. but without  -----BEGIN PKCS7----- -----END PKCS7----- envelopes
- EST enroll is succesful on AOS-CX (TA-profile only for HTTPS root cert. the rest is imported automaticaly)

Any ideas? Thanks in advance! 

-------------------------------------------