Security

Hi Folks,

I upgraded Clearpass cluster from 6.10.8 to 6.11.10 last week with everything working except public HTTPS cert used for Guest Portal. 

HTTPS cert was exported from 6.10.8 with .p12 format and imported into 6.11.8 (Same physical node) with no error.  However, Guest portal shows this cert is not trusted from wifi client end.  Not sure if anyone else is experiencing the same issue?  Will new GSR and new cert resolve this ? 

Regards

Charles 

Hi Folks,

I upgraded Clearpass cluster from 6.10.8 to 6.11.10 last week with everything working except public HTTPS cert used for Guest Portal. 

HTTPS cert was exported from 6.10.8 with .p12 format and imported into 6.11.8 (Same physical node) with no error.  However, Guest portal shows this cert is not trusted from wifi client end.  Not sure if anyone else is experiencing the same issue?  Will new GSR and new cert resolve this ? 

Regards

Charles 

Do you have an RSA or ECC certificate? If you imported RSA, make sure that the HTTPS(ECC) certificate is disabled. If you imported an ECC certificate, make sure the HTTPS(RSA) is disabled.

Hi Folks,

I upgraded Clearpass cluster from 6.10.8 to 6.11.10 last week with everything working except public HTTPS cert used for Guest Portal. 

HTTPS cert was exported from 6.10.8 with .p12 format and imported into 6.11.8 (Same physical node) with no error.  However, Guest portal shows this cert is not trusted from wifi client end.  Not sure if anyone else is experiencing the same issue?  Will new GSR and new cert resolve this ? 

Regards

Charles 

Hi Chulcher & Herman,

Thanks for kind reply and sorry for my late response. Below is more information regarding the issue I am experiencing:

1. This public HTTPS (RSA) certificate is signed by DigiCert. There are no errors in the Certificate Store, and the root CA trust chain is in place without issues.

2. In this case, I cannot disable the HTTPS (ECC) certificate (self-signed) as it is used by the CPPM Cluster. Interestingly, CPPM (6.11.10) seems to prefers the HTTPS self-signed ECC certificate over the HTTPS RSA certificate (DigiCert-signed) when selecting the HTTPS certificate for the cluster. Both types of certificates were enabled during the clustering setup between the two CPPM nodes, and obviioutly CPPM chose the HTTPS ECC certificate for some reason. Not sure if this is expected behaviour..

3. On the client-side PC, I confimed the HTTPS (RSA) public certificate is being used for the Guest Portal, yet it still appears as untrusted for some reason.

Thanks 

Charles 

Do you have an RSA or ECC certificate? If you imported RSA, make sure that the HTTPS(ECC) certificate is disabled. If you imported an ECC certificate, make sure the HTTPS(RSA) is disabled.

Hi Folks,

I upgraded Clearpass cluster from 6.10.8 to 6.11.10 last week with everything working except public HTTPS cert used for Guest Portal. 

HTTPS cert was exported from 6.10.8 with .p12 format and imported into 6.11.8 (Same physical node) with no error.  However, Guest portal shows this cert is not trusted from wifi client end.  Not sure if anyone else is experiencing the same issue?  Will new GSR and new cert resolve this ? 

Regards

Charles 

Most modern clients prefer ECC over RSA if both are offered. Not sure what you refer to for the clustering... the database certificate is used for the database synchronization and needs to have the IP address as DNS-SAN, but is separate from HTTPS.

Because you can't really control which certificate a client will prefer, you should either have both RSA and ECC certificate, or disable the one not in use.

I normally check installed certificates and chains with openssl (openssl s_client --showcerts -connect www.arubanetworks.com:443), but DigiCert seems to offer a Windows tool as well (didn't work for me, but maybe because I don't have DigiCert certificate).

Hi Chulcher & Herman,

Thanks for kind reply and sorry for my late response. Below is more information regarding the issue I am experiencing:

1. This public HTTPS (RSA) certificate is signed by DigiCert. There are no errors in the Certificate Store, and the root CA trust chain is in place without issues.

2. In this case, I cannot disable the HTTPS (ECC) certificate (self-signed) as it is used by the CPPM Cluster. Interestingly, CPPM (6.11.10) seems to prefers the HTTPS self-signed ECC certificate over the HTTPS RSA certificate (DigiCert-signed) when selecting the HTTPS certificate for the cluster. Both types of certificates were enabled during the clustering setup between the two CPPM nodes, and obviioutly CPPM chose the HTTPS ECC certificate for some reason. Not sure if this is expected behaviour..

3. On the client-side PC, I confimed the HTTPS (RSA) public certificate is being used for the Guest Portal, yet it still appears as untrusted for some reason.

Thanks 

Charles 

Do you have an RSA or ECC certificate? If you imported RSA, make sure that the HTTPS(ECC) certificate is disabled. If you imported an ECC certificate, make sure the HTTPS(RSA) is disabled.

Hi Folks,

I upgraded Clearpass cluster from 6.10.8 to 6.11.10 last week with everything working except public HTTPS cert used for Guest Portal. 

HTTPS cert was exported from 6.10.8 with .p12 format and imported into 6.11.8 (Same physical node) with no error.  However, Guest portal shows this cert is not trusted from wifi client end.  Not sure if anyone else is experiencing the same issue?  Will new GSR and new cert resolve this ? 

Regards

Charles 

Hi Hernam,

The process of establishing cluster between 2 CPPM nodes, HTTPS certs validation is also required. In my case, CCPM subscriber added publisher's HTTPS self signed ECC cert into its trust list.

Most modern clients prefer ECC over RSA if both are offered. Not sure what you refer to for the clustering... the database certificate is used for the database synchronization and needs to have the IP address as DNS-SAN, but is separate from HTTPS.

Because you can't really control which certificate a client will prefer, you should either have both RSA and ECC certificate, or disable the one not in use.

I normally check installed certificates and chains with openssl (openssl s_client --showcerts -connect www.arubanetworks.com:443), but DigiCert seems to offer a Windows tool as well (didn't work for me, but maybe because I don't have DigiCert certificate).

Hi Chulcher & Herman,

Thanks for kind reply and sorry for my late response. Below is more information regarding the issue I am experiencing:

1. This public HTTPS (RSA) certificate is signed by DigiCert. There are no errors in the Certificate Store, and the root CA trust chain is in place without issues.

2. In this case, I cannot disable the HTTPS (ECC) certificate (self-signed) as it is used by the CPPM Cluster. Interestingly, CPPM (6.11.10) seems to prefers the HTTPS self-signed ECC certificate over the HTTPS RSA certificate (DigiCert-signed) when selecting the HTTPS certificate for the cluster. Both types of certificates were enabled during the clustering setup between the two CPPM nodes, and obviioutly CPPM chose the HTTPS ECC certificate for some reason. Not sure if this is expected behaviour..

3. On the client-side PC, I confimed the HTTPS (RSA) public certificate is being used for the Guest Portal, yet it still appears as untrusted for some reason.

Thanks 

Charles 

Do you have an RSA or ECC certificate? If you imported RSA, make sure that the HTTPS(ECC) certificate is disabled. If you imported an ECC certificate, make sure the HTTPS(RSA) is disabled.

Hi Folks,

I upgraded Clearpass cluster from 6.10.8 to 6.11.10 last week with everything working except public HTTPS cert used for Guest Portal. 

HTTPS cert was exported from 6.10.8 with .p12 format and imported into 6.11.8 (Same physical node) with no error.  However, Guest portal shows this cert is not trusted from wifi client end.  Not sure if anyone else is experiencing the same issue?  Will new GSR and new cert resolve this ? 

Regards

Charles