Security

You may have more success on the Automation forum on this community as it looks like your are trying to use Ansible.

Based on the error message, I think the problem is that ClearPass does not trust the server certificate of the URL where you try to download the certificate from.

The pkcs12_file_url would be the location for the pkcs12 file holding the ClearPass HTTPS(RSA) server certificate; the pkcs12_password would be the password for that file. Assuming the Ansible module sends the correct API call, ClearPass would retrieve the pkcs12_file_url and for that the URL must be trusted, so the HTTPS certificate of the server that you are downloading from must be trusted by ClearPass, meaning the RootCA for that certificate needs in the Trust List enabled and have purpose 'Other'.

You may have more success on the Automation forum on this community as it looks like your are trying to use Ansible.

Based on the error message, I think the problem is that ClearPass does not trust the server certificate of the URL where you try to download the certificate from.

The pkcs12_file_url would be the location for the pkcs12 file holding the ClearPass HTTPS(RSA) server certificate; the pkcs12_password would be the password for that file. Assuming the Ansible module sends the correct API call, ClearPass would retrieve the pkcs12_file_url and for that the URL must be trusted, so the HTTPS certificate of the server that you are downloading from must be trusted by ClearPass, meaning the RootCA for that certificate needs in the Trust List enabled and have purpose 'Other'.

The real question should be why does he need to write an automation script.  This should be an HPE deliverable. 

Certificate automation with the new issuance and expiriy standard needs to be delvivered by the vendors.

You may have more success on the Automation forum on this community as it looks like your are trying to use Ansible.

Based on the error message, I think the problem is that ClearPass does not trust the server certificate of the URL where you try to download the certificate from.

The pkcs12_file_url would be the location for the pkcs12 file holding the ClearPass HTTPS(RSA) server certificate; the pkcs12_password would be the password for that file. Assuming the Ansible module sends the correct API call, ClearPass would retrieve the pkcs12_file_url and for that the URL must be trusted, so the HTTPS certificate of the server that you are downloading from must be trusted by ClearPass, meaning the RootCA for that certificate needs in the Trust List enabled and have purpose 'Other'.

The problem is that there is no single way of requesting/renewing a certificate. There is ACME, but the most obvious method of requesting a certificate requires the system to be reachable over the internet, which normally is not the case for ClearPass and even not recommended to put it out on the internet. Other methods require control over DNS, which is not practical/obvious either. Many certificate requests are still being done manually. For cloud products it's more trivial and also happening. In premises are different.

If you have a good idea on how to implement the certificate renewal, please share the thoughts.

The real question should be why does he need to write an automation script.  This should be an HPE deliverable. 

Certificate automation with the new issuance and expiriy standard needs to be delvivered by the vendors.

You may have more success on the Automation forum on this community as it looks like your are trying to use Ansible.

Based on the error message, I think the problem is that ClearPass does not trust the server certificate of the URL where you try to download the certificate from.

The pkcs12_file_url would be the location for the pkcs12 file holding the ClearPass HTTPS(RSA) server certificate; the pkcs12_password would be the password for that file. Assuming the Ansible module sends the correct API call, ClearPass would retrieve the pkcs12_file_url and for that the URL must be trusted, so the HTTPS certificate of the server that you are downloading from must be trusted by ClearPass, meaning the RootCA for that certificate needs in the Trust List enabled and have purpose 'Other'.

I didn't realize customers were not exposing Clearpass to public networks, we need to for radius, jamf, signature updates and a few other services. 

Honestly, I don't have a solution. ACME2 seems to be the direction we have to use, but our hands have been forced by the PKI Consortium (I think that was deciding body) and manually replacing certificates every 30 days is not a solution.

My hope would be that HPE would develop a solution with the Certificate Providers and make it a product deliverable.

The problem is that there is no single way of requesting/renewing a certificate. There is ACME, but the most obvious method of requesting a certificate requires the system to be reachable over the internet, which normally is not the case for ClearPass and even not recommended to put it out on the internet. Other methods require control over DNS, which is not practical/obvious either. Many certificate requests are still being done manually. For cloud products it's more trivial and also happening. In premises are different.

If you have a good idea on how to implement the certificate renewal, please share the thoughts.

The real question should be why does he need to write an automation script.  This should be an HPE deliverable. 

Certificate automation with the new issuance and expiriy standard needs to be delvivered by the vendors.

You may have more success on the Automation forum on this community as it looks like your are trying to use Ansible.

Based on the error message, I think the problem is that ClearPass does not trust the server certificate of the URL where you try to download the certificate from.

The pkcs12_file_url would be the location for the pkcs12 file holding the ClearPass HTTPS(RSA) server certificate; the pkcs12_password would be the password for that file. Assuming the Ansible module sends the correct API call, ClearPass would retrieve the pkcs12_file_url and for that the URL must be trusted, so the HTTPS certificate of the server that you are downloading from must be trusted by ClearPass, meaning the RootCA for that certificate needs in the Trust List enabled and have purpose 'Other'.

Please file feature request at https://innovationzone.arubanetworking.hpe.com/ and follow up with Aruba SE.

I didn't realize customers were not exposing Clearpass to public networks, we need to for radius, jamf, signature updates and a few other services. 

Honestly, I don't have a solution. ACME2 seems to be the direction we have to use, but our hands have been forced by the PKI Consortium (I think that was deciding body) and manually replacing certificates every 30 days is not a solution.

My hope would be that HPE would develop a solution with the Certificate Providers and make it a product deliverable.

The problem is that there is no single way of requesting/renewing a certificate. There is ACME, but the most obvious method of requesting a certificate requires the system to be reachable over the internet, which normally is not the case for ClearPass and even not recommended to put it out on the internet. Other methods require control over DNS, which is not practical/obvious either. Many certificate requests are still being done manually. For cloud products it's more trivial and also happening. In premises are different.

If you have a good idea on how to implement the certificate renewal, please share the thoughts.

The real question should be why does he need to write an automation script.  This should be an HPE deliverable. 

Certificate automation with the new issuance and expiriy standard needs to be delvivered by the vendors.

You may have more success on the Automation forum on this community as it looks like your are trying to use Ansible.

Based on the error message, I think the problem is that ClearPass does not trust the server certificate of the URL where you try to download the certificate from.

The pkcs12_file_url would be the location for the pkcs12 file holding the ClearPass HTTPS(RSA) server certificate; the pkcs12_password would be the password for that file. Assuming the Ansible module sends the correct API call, ClearPass would retrieve the pkcs12_file_url and for that the URL must be trusted, so the HTTPS certificate of the server that you are downloading from must be trusted by ClearPass, meaning the RootCA for that certificate needs in the Trust List enabled and have purpose 'Other'.

Please file feature request at https://innovationzone.arubanetworking.hpe.com/ and follow up with Aruba SE.

I didn't realize customers were not exposing Clearpass to public networks, we need to for radius, jamf, signature updates and a few other services. 

Honestly, I don't have a solution. ACME2 seems to be the direction we have to use, but our hands have been forced by the PKI Consortium (I think that was deciding body) and manually replacing certificates every 30 days is not a solution.

My hope would be that HPE would develop a solution with the Certificate Providers and make it a product deliverable.

The problem is that there is no single way of requesting/renewing a certificate. There is ACME, but the most obvious method of requesting a certificate requires the system to be reachable over the internet, which normally is not the case for ClearPass and even not recommended to put it out on the internet. Other methods require control over DNS, which is not practical/obvious either. Many certificate requests are still being done manually. For cloud products it's more trivial and also happening. In premises are different.

If you have a good idea on how to implement the certificate renewal, please share the thoughts.

The real question should be why does he need to write an automation script.  This should be an HPE deliverable. 

Certificate automation with the new issuance and expiriy standard needs to be delvivered by the vendors.

You may have more success on the Automation forum on this community as it looks like your are trying to use Ansible.

Based on the error message, I think the problem is that ClearPass does not trust the server certificate of the URL where you try to download the certificate from.

The pkcs12_file_url would be the location for the pkcs12 file holding the ClearPass HTTPS(RSA) server certificate; the pkcs12_password would be the password for that file. Assuming the Ansible module sends the correct API call, ClearPass would retrieve the pkcs12_file_url and for that the URL must be trusted, so the HTTPS certificate of the server that you are downloading from must be trusted by ClearPass, meaning the RootCA for that certificate needs in the Trust List enabled and have purpose 'Other'.

Please file feature request at https://innovationzone.arubanetworking.hpe.com/ and follow up with Aruba SE.

I didn't realize customers were not exposing Clearpass to public networks, we need to for radius, jamf, signature updates and a few other services. 

Honestly, I don't have a solution. ACME2 seems to be the direction we have to use, but our hands have been forced by the PKI Consortium (I think that was deciding body) and manually replacing certificates every 30 days is not a solution.

My hope would be that HPE would develop a solution with the Certificate Providers and make it a product deliverable.

The problem is that there is no single way of requesting/renewing a certificate. There is ACME, but the most obvious method of requesting a certificate requires the system to be reachable over the internet, which normally is not the case for ClearPass and even not recommended to put it out on the internet. Other methods require control over DNS, which is not practical/obvious either. Many certificate requests are still being done manually. For cloud products it's more trivial and also happening. In premises are different.

If you have a good idea on how to implement the certificate renewal, please share the thoughts.

The real question should be why does he need to write an automation script.  This should be an HPE deliverable. 

Certificate automation with the new issuance and expiriy standard needs to be delvivered by the vendors.

You may have more success on the Automation forum on this community as it looks like your are trying to use Ansible.

Based on the error message, I think the problem is that ClearPass does not trust the server certificate of the URL where you try to download the certificate from.

The pkcs12_file_url would be the location for the pkcs12 file holding the ClearPass HTTPS(RSA) server certificate; the pkcs12_password would be the password for that file. Assuming the Ansible module sends the correct API call, ClearPass would retrieve the pkcs12_file_url and for that the URL must be trusted, so the HTTPS certificate of the server that you are downloading from must be trusted by ClearPass, meaning the RootCA for that certificate needs in the Trust List enabled and have purpose 'Other'.

The problem is that there is no single way of requesting/renewing a certificate. There is ACME, but the most obvious method of requesting a certificate requires the system to be reachable over the internet, which normally is not the case for ClearPass and even not recommended to put it out on the internet. Other methods require control over DNS, which is not practical/obvious either. Many certificate requests are still being done manually. For cloud products it's more trivial and also happening. In premises are different.

If you have a good idea on how to implement the certificate renewal, please share the thoughts.

The real question should be why does he need to write an automation script.  This should be an HPE deliverable. 

Certificate automation with the new issuance and expiriy standard needs to be delvivered by the vendors.

You may have more success on the Automation forum on this community as it looks like your are trying to use Ansible.

Based on the error message, I think the problem is that ClearPass does not trust the server certificate of the URL where you try to download the certificate from.

The pkcs12_file_url would be the location for the pkcs12 file holding the ClearPass HTTPS(RSA) server certificate; the pkcs12_password would be the password for that file. Assuming the Ansible module sends the correct API call, ClearPass would retrieve the pkcs12_file_url and for that the URL must be trusted, so the HTTPS certificate of the server that you are downloading from must be trusted by ClearPass, meaning the RootCA for that certificate needs in the Trust List enabled and have purpose 'Other'.

See DNS-PERSIST-01 expected to be available later this year in 2026 for a solution also for ClearPass:
https://letsencrypt.org/2025/12/02/from-90-to-45
https://www.ietf.org/archive/id/draft-ietf-acme-dns-persist-00.html

The problem is that there is no single way of requesting/renewing a certificate. There is ACME, but the most obvious method of requesting a certificate requires the system to be reachable over the internet, which normally is not the case for ClearPass and even not recommended to put it out on the internet. Other methods require control over DNS, which is not practical/obvious either. Many certificate requests are still being done manually. For cloud products it's more trivial and also happening. In premises are different.

If you have a good idea on how to implement the certificate renewal, please share the thoughts.

The real question should be why does he need to write an automation script.  This should be an HPE deliverable. 

Certificate automation with the new issuance and expiriy standard needs to be delvivered by the vendors.

You may have more success on the Automation forum on this community as it looks like your are trying to use Ansible.

Based on the error message, I think the problem is that ClearPass does not trust the server certificate of the URL where you try to download the certificate from.

The pkcs12_file_url would be the location for the pkcs12 file holding the ClearPass HTTPS(RSA) server certificate; the pkcs12_password would be the password for that file. Assuming the Ansible module sends the correct API call, ClearPass would retrieve the pkcs12_file_url and for that the URL must be trusted, so the HTTPS certificate of the server that you are downloading from must be trusted by ClearPass, meaning the RootCA for that certificate needs in the Trust List enabled and have purpose 'Other'.

See DNS-PERSIST-01 expected to be available later this year in 2026 for a solution also for ClearPass:
https://letsencrypt.org/2025/12/02/from-90-to-45
https://www.ietf.org/archive/id/draft-ietf-acme-dns-persist-00.html

The problem is that there is no single way of requesting/renewing a certificate. There is ACME, but the most obvious method of requesting a certificate requires the system to be reachable over the internet, which normally is not the case for ClearPass and even not recommended to put it out on the internet. Other methods require control over DNS, which is not practical/obvious either. Many certificate requests are still being done manually. For cloud products it's more trivial and also happening. In premises are different.

If you have a good idea on how to implement the certificate renewal, please share the thoughts.

The real question should be why does he need to write an automation script.  This should be an HPE deliverable. 

Certificate automation with the new issuance and expiriy standard needs to be delvivered by the vendors.

You may have more success on the Automation forum on this community as it looks like your are trying to use Ansible.

Based on the error message, I think the problem is that ClearPass does not trust the server certificate of the URL where you try to download the certificate from.

The pkcs12_file_url would be the location for the pkcs12 file holding the ClearPass HTTPS(RSA) server certificate; the pkcs12_password would be the password for that file. Assuming the Ansible module sends the correct API call, ClearPass would retrieve the pkcs12_file_url and for that the URL must be trusted, so the HTTPS certificate of the server that you are downloading from must be trusted by ClearPass, meaning the RootCA for that certificate needs in the Trust List enabled and have purpose 'Other'.