Security

 View Only

  • 1.  ClearPass - Radius and HTTPS(RSA) - Can share same Certificate ?

    Posted Mar 17, 2026 12:31 PM

    Hi Everyone,

    Recently I renewed our expired Radius Server Cert in ClearPass to resolve issues of clients not connecting. I forgot to update the HTTPS (RSA) cert as well. Previously, I believed it used
    the same cert as for Radius.  Now, when trying to upload the newest Radius cert for use with HTTPS (RSA), ClearPass says 'Private Key Not Found On This System' - See attached.

    I've compared the serial numbers of the new (installed) Radius cert and the one I'm uploading and they match.  Is it possible ClearPass only lets you match up one instance of a cert with
    its private key? In this case, my upload of the new Radius cert would have 'claimed' the private key stored already from the Certificate Signing Request?

    Appreciate any help you can provide.

    Thanks!

    image


    -------------------------------------------


  • 2.  RE: ClearPass - Radius and HTTPS(RSA) - Can share same Certificate ?

    Posted Mar 17, 2026 01:53 PM

    When you upload the certificate the first time it will match to the stored private key. To use the same certificate as both RADIUS and https certificate, you have to export the RADIUS certificate to a p12 (pfx) file and install it again as https.

    This can also be done from CLI with the command:
    system copy-server-certificate

    Regarding your question if it has been the same certificate for both RADIUS and https. Yes, long time back it was the same certificate. A few versions also had separate certificates per interface. I guess sometime around 2012-2014 and version 6.0 to 6.3 or someting...



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: ClearPass - Radius and HTTPS(RSA) - Can share same Certificate ?

    Posted Mar 18, 2026 02:00 AM

    Hi Cnoga,

    Please try the offline method. Starting from the 6.8 release, this functionality is no longer working through the CPPM GUI.

    Kindly install OpenSSL on your laptop and follow the procedure mentioned below.

    CSR Generation and Certificate Preparation (Offline Method)

    CSR generation and private key creation must be done using OpenSSL on a Windows PC (via CMD).

    Run the following command:

    openssl req -new -newkey rsa:2048 -nodes -keyout clrpass20.key -out clrpass20.csr -subj "/C=IN/ST=Karnataka/L=Bangalore/O=lab.com/OU=IT/CN=clrpass.lab.com" -addext "subjectAltName=DNS:clrpass.lab.com,IP:CPPM IP"

    After running the command, the files clrpass20.key and clrpass20.csr will be created in the following path:

    C:\Users\<Your Windows User>\

    CSR Submission:

    Use the CSR key and open the CA portal:

    http://<CA Server>/certsrv/

    request certificate and Download the certificate in Base64 (.cer) format.
    Rename the certificate to match the private key file name and place it in the same location as the key.

    Certificate Key Verification

    openssl x509 -in clrpass.cer -noout -text

    Convert Certificate to .pfx Format

    openssl pkcs12 -export -out clrpass2.pfx -inkey clrpass2.key -in clrpass2.cer

    With CA (PKCS#12) File

    openssl pkcs12 -export -out clrpass20.p12 -inkey clrpass20.key -in clrpass20.cer -certfile lab-LABPDC01-CA.cer

    Import into ClearPass (CPPM)

    1. Add CA Root Certificate

    Go to:

    Certificates → Trust List

    Paste the AD Root Certificate into the trust list.

    2. Install HTTPS Certificate

    Navigate to:

    Certificates → Certificate Store

    Select:

    Certificate: HTTPS (RSA)

    Upload the .pfx file along with the key.

    Regards,

    D.Kartheek

    -------------------------------------------



  • 4.  RE: ClearPass - Radius and HTTPS(RSA) - Can share same Certificate ?

    Posted Mar 18, 2026 02:15 AM

    Hi Cnoga,

    Could you please confirm whether you are using a self‑signed certificate or a certificate issued by an external Certificate Authority (CA)?

    Please note that the RADIUS certificate and the HTTPS (GUI) certificate are two different components.

    • The HTTPS certificate is used only for accessing the GUI.
    • The RADIUS certificate is used for client authentication.

    Since they serve different purposes, they should not be compared as the same. If clients are failing to connect after updating the RADIUS certificate, the issue is typically related to the RADIUS configuration and not the HTTPS certificate.

    If you need to update the HTTPS certificate, please follow the procedure mentioned above. Also, please ensure that the HTTPS and RADIUS certificates are handled separately, as they are independent of each other.

    Regards,

    D.Kartheek

    -------------------------------------------



Related Content