Security

 View Only

  • 1.  ClearPass cluster not using new HTTPS RSA certificate on Subscriber

    Posted Apr 15, 2026 09:44 AM

    Hi everyone,

    I'm currently facing an issue with HTTPS RSA certificates in my ClearPass cluster and would appreciate any ideas.

    Current setup:

    • ClearPass cluster with 1 Publisher and 1 Subscriber running 6.12.5
    • I created CSRs directly on the Publisher and received the signed certificates from our internal CA -> We dont do captive Portal or Onboard
    • The Prior HTTPS RSA Certificates were the default self-signed

    What I did:

    • Imported a new HTTPS RSA certificate via the Publisher
    • The Publisher is using the new certificate without any issues (no browser warning anymore)
    • The certificate is visible in the certificate store on both nodes

    Certificate details:

    • I am now using one single certificate
    • The certificate includes all relevant DNS names and IPs in the SAN field

    Issue:

    • The Subscriber is still presenting the old HTTPS certificate
    • Even after:
      • rebooting the Subscriber
      • Closing Browser Etc.

    Is there a known issue or additional step required for the Subscriber to switch to the new HTTPS certificate?

    Thanks in advance!



    -------------------------------------------


  • 2.  RE: ClearPass cluster not using new HTTPS RSA certificate on Subscriber

    Posted Apr 15, 2026 12:25 PM

    Did you apply to the subscriber too? In the Certificate section, you will need to import the cert and apply it to the subscriber too.

    -------------------------------------------



  • 3.  RE: ClearPass cluster not using new HTTPS RSA certificate on Subscriber

    Posted Apr 16, 2026 03:01 AM

    Yes, i did apply it to the subscriber. Certificate is visible in both Certificate Stores.

    -------------------------------------------

    Original Message


  • 4.  RE: ClearPass cluster not using new HTTPS RSA certificate on Subscriber
    Best Answer

    Posted Apr 16, 2026 04:28 AM

    Please check if the ECC certificate may be enabled? If you have both RSA and ECC certificates enabled, and you update the RSA one, most browsers will prefer the ECC certificate.

    I moved to ECC exclusively for some time as it's more efficient with similar security level, or you can reach higher security with the same resources.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content