Security

Hey everyone,

I've been working on certificates for some time now, and I wanted to ask here about what might be developing with regard to the server certificates. Getting certificates into ClearPass is not difficult, but there are a lot of options and ways that can go wrong. Even for someone familiar with the platform, the yearly cycle of replacing the various certs can be a chore.
Would love to set up a process that can get the radius cert from my PKI automatically, and if the HTTP cert could use the ACME protocol... I know there are lots of moving parts there, but I'd love to see some progress.

The browser certs will be 47 days in a few years (2029) but it'll start with 200 days next year. Is there any plan to implement some automation into the process of getting certs soon?

Hi Man,

Aruba has opened a feature request (SEC-I-726) to provide native PKI enrollment for RADIUS/EAP certs and ACME support for HTTP/TLS certs, though it remains in "future consideration." You can review and up-vote it here:

https://innovationzone.arubanetworks.hpe.com/ideas/SEC-I-726

In the meantime, the recommended approach is to script certificate issuance and renewal via the ClearPass REST API.

Here's the reference to that as well from the developer site:

https://developer.arubanetworks.com/cppm/reference/certificatebycertificate_idget

Best regards,
Vigan

Original Message:
Sent: Jun 18, 2025 11:18 AM
From: hornp
Subject: Server Certificates management in ClearPass

Hey everyone,

I've been working on certificates for some time now, and I wanted to ask here about what might be developing with regard to the server certificates. Getting certificates into ClearPass is not difficult, but there are a lot of options and ways that can go wrong. Even for someone familiar with the platform, the yearly cycle of replacing the various certs can be a chore.
Would love to set up a process that can get the radius cert from my PKI automatically, and if the HTTP cert could use the ACME protocol... I know there are lots of moving parts there, but I'd love to see some progress.

The browser certs will be 47 days in a few years (2029) but it'll start with 200 days next year. Is there any plan to implement some automation into the process of getting certs soon?

Hi Man,

Aruba has opened a feature request (SEC-I-726) to provide native PKI enrollment for RADIUS/EAP certs and ACME support for HTTP/TLS certs, though it remains in "future consideration." You can review and up-vote it here:

https://innovationzone.arubanetworks.hpe.com/ideas/SEC-I-726

In the meantime, the recommended approach is to script certificate issuance and renewal via the ClearPass REST API.

Here's the reference to that as well from the developer site:

https://developer.arubanetworks.com/cppm/reference/certificatebycertificate_idget

Best regards,
Vigan

Original Message:
Sent: Jun 18, 2025 11:18 AM
From: hornp
Subject: Server Certificates management in ClearPass

Hey everyone,

I've been working on certificates for some time now, and I wanted to ask here about what might be developing with regard to the server certificates. Getting certificates into ClearPass is not difficult, but there are a lot of options and ways that can go wrong. Even for someone familiar with the platform, the yearly cycle of replacing the various certs can be a chore.
Would love to set up a process that can get the radius cert from my PKI automatically, and if the HTTP cert could use the ACME protocol... I know there are lots of moving parts there, but I'd love to see some progress.

The browser certs will be 47 days in a few years (2029) but it'll start with 200 days next year. Is there any plan to implement some automation into the process of getting certs soon?

What is the status of SEC-I-726 in light of Moving to 199-day validity for public TLS certificates and the rapid schedule of maximum validity reductions?

Hi Man,

Aruba has opened a feature request (SEC-I-726) to provide native PKI enrollment for RADIUS/EAP certs and ACME support for HTTP/TLS certs, though it remains in "future consideration." You can review and up-vote it here:

https://innovationzone.arubanetworks.hpe.com/ideas/SEC-I-726

In the meantime, the recommended approach is to script certificate issuance and renewal via the ClearPass REST API.

Here's the reference to that as well from the developer site:

https://developer.arubanetworks.com/cppm/reference/certificatebycertificate_idget

Best regards,
Vigan

Original Message:
Sent: Jun 18, 2025 11:18 AM
From: hornp
Subject: Server Certificates management in ClearPass

Hey everyone,

I've been working on certificates for some time now, and I wanted to ask here about what might be developing with regard to the server certificates. Getting certificates into ClearPass is not difficult, but there are a lot of options and ways that can go wrong. Even for someone familiar with the platform, the yearly cycle of replacing the various certs can be a chore.
Would love to set up a process that can get the radius cert from my PKI automatically, and if the HTTP cert could use the ACME protocol... I know there are lots of moving parts there, but I'd love to see some progress.

The browser certs will be 47 days in a few years (2029) but it'll start with 200 days next year. Is there any plan to implement some automation into the process of getting certs soon?

I can see the status is 'Valid and for future consideration'. 

Based on different discussions on this topic, it's not really possible/feasible at this moment to implement automatic certificate renewal for products that are not exposed to the internet (inbound traffic allowed from the internet; or active/real-time control over DNS records). In that other discussion the proposed standard DNS-PERSIST-01 is mentioned, but that is a draft/proposal only, there is no certainty that this will make it to an actual standard, and after that it will take time for CA's to implement/offer this.

I'm using myself the ClearPass APIs to request the certificates on a system that has external DNS control, requests a wildcard via ACME, then pushes that to ClearPass, and renew the certificate every 50 days and do the same again. But that's something custom built around certbot, bind9 and python/ClearPass APIs, running on the authoritative DNS server for my domains, so not really easy to replicate.

I've heard that this topic is 'on the radar' for product management; but as this is future looking, and it's not trivial how to solve the challenge, it's not possible to publicly discuss what's planned. You may contact your local HPE Networking contacts if you need more information.

What is the status of SEC-I-726 in light of Moving to 199-day validity for public TLS certificates and the rapid schedule of maximum validity reductions?

Hi Man,

Aruba has opened a feature request (SEC-I-726) to provide native PKI enrollment for RADIUS/EAP certs and ACME support for HTTP/TLS certs, though it remains in "future consideration." You can review and up-vote it here:

https://innovationzone.arubanetworks.hpe.com/ideas/SEC-I-726

In the meantime, the recommended approach is to script certificate issuance and renewal via the ClearPass REST API.

Here's the reference to that as well from the developer site:

https://developer.arubanetworks.com/cppm/reference/certificatebycertificate_idget

Best regards,
Vigan

Original Message:
Sent: Jun 18, 2025 11:18 AM
From: hornp
Subject: Server Certificates management in ClearPass

Hey everyone,

I've been working on certificates for some time now, and I wanted to ask here about what might be developing with regard to the server certificates. Getting certificates into ClearPass is not difficult, but there are a lot of options and ways that can go wrong. Even for someone familiar with the platform, the yearly cycle of replacing the various certs can be a chore.
Would love to set up a process that can get the radius cert from my PKI automatically, and if the HTTP cert could use the ACME protocol... I know there are lots of moving parts there, but I'd love to see some progress.

The browser certs will be 47 days in a few years (2029) but it'll start with 200 days next year. Is there any plan to implement some automation into the process of getting certs soon?

I can see the status is 'Valid and for future consideration'. 

Based on different discussions on this topic, it's not really possible/feasible at this moment to implement automatic certificate renewal for products that are not exposed to the internet (inbound traffic allowed from the internet; or active/real-time control over DNS records). In that other discussion the proposed standard DNS-PERSIST-01 is mentioned, but that is a draft/proposal only, there is no certainty that this will make it to an actual standard, and after that it will take time for CA's to implement/offer this.

I'm using myself the ClearPass APIs to request the certificates on a system that has external DNS control, requests a wildcard via ACME, then pushes that to ClearPass, and renew the certificate every 50 days and do the same again. But that's something custom built around certbot, bind9 and python/ClearPass APIs, running on the authoritative DNS server for my domains, so not really easy to replicate.

I've heard that this topic is 'on the radar' for product management; but as this is future looking, and it's not trivial how to solve the challenge, it's not possible to publicly discuss what's planned. You may contact your local HPE Networking contacts if you need more information.

What is the status of SEC-I-726 in light of Moving to 199-day validity for public TLS certificates and the rapid schedule of maximum validity reductions?

Hi Man,

Aruba has opened a feature request (SEC-I-726) to provide native PKI enrollment for RADIUS/EAP certs and ACME support for HTTP/TLS certs, though it remains in "future consideration." You can review and up-vote it here:

https://innovationzone.arubanetworks.hpe.com/ideas/SEC-I-726

In the meantime, the recommended approach is to script certificate issuance and renewal via the ClearPass REST API.

Here's the reference to that as well from the developer site:

https://developer.arubanetworks.com/cppm/reference/certificatebycertificate_idget

Best regards,
Vigan

Original Message:
Sent: Jun 18, 2025 11:18 AM
From: hornp
Subject: Server Certificates management in ClearPass

Hey everyone,

I've been working on certificates for some time now, and I wanted to ask here about what might be developing with regard to the server certificates. Getting certificates into ClearPass is not difficult, but there are a lot of options and ways that can go wrong. Even for someone familiar with the platform, the yearly cycle of replacing the various certs can be a chore.
Would love to set up a process that can get the radius cert from my PKI automatically, and if the HTTP cert could use the ACME protocol... I know there are lots of moving parts there, but I'd love to see some progress.

The browser certs will be 47 days in a few years (2029) but it'll start with 200 days next year. Is there any plan to implement some automation into the process of getting certs soon?

For legal reasons, I'm not allowed to share code; but I can explain the strategy.

I have a Linux server, that is internet reachable, and there I created a bash shell script to run certbot to get the certificates from Let's Encrypt. For HTTP validation checking that's:

certbot certonly --key-type ecdsa --cert-name ${FNAME} --webroot --renew-by-default --text --agree-tos --no-eff-email --email ${EMAIL} --webroot -w /var/www/ -d ${DOMAINS}

For the DNS validation (wildcards), it's:

certbot certonly --key-type ecdsa --cert-name ${FNAME} --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --renew-by-default --no-eff-email --manual --preferred-challenges dns --manual-auth-hook "/usr/local/sbin/letsencrypt-dns-add.sh" --manual-cleanup-hook "/usr/local/sbin/letsencrypt-dns-remove.sh" -d "${DOMAINS}"

The /usr/local/sbin/letsencrypt-dns-add.sh script adds a TXT record to the zone with the value of the environment variable CERTBOT_VALIDATION (and the zone is is CERTBOT_DOMAIN. It reloads the zone, so the zone is active. Also, I created a subzone specifically for the _acme-challenge.<domain> which is referred to from the main domain with just a single A record to this specific server; to avoid delays in the domain replication.

The certificate is then stored as a .p12, in my case to a location that is accessible over HTTPS. Then I have an internal Linux system that has access to both ClearPass and that webserver. On there I have a python script, which I think is based on one of the sample scripts on https://github.com/aruba/ but probably pyclearpass would be able to do the same job.

That script first checks/retrieves the certificate from the external webserver (p12 format).

Then it requests an access token to the API; then retrieves the uuid for all servers in the cluster: GET https://{clearpass_fqdn}/api/cluster/server; then it iterates through all the nodes, and requests the current installed server certificate: GET https://{clearpass_fqdn}/api/server-cert/name/{uuid}/HTTPS(ECC) which returns JSON with a field expiry_date.

Compare the expiration dates from the installed one with the downloaded one; if it's different, PUT to https://{clearpass_fqdn}/api/server-cert/name/{uuid}/HTTPS(ECC) with JSON body = {'pkcs12_file_url': cert_url, 'pkcs12_passphrase': cert_password}

ClearPass will then retrieve the certificate directly from my external webserver, and install it as HTTP(ECC) certificate.

Hope this helps, and maybe someone non-HPE or authorized can share working code for it. 

I can see the status is 'Valid and for future consideration'. 

Based on different discussions on this topic, it's not really possible/feasible at this moment to implement automatic certificate renewal for products that are not exposed to the internet (inbound traffic allowed from the internet; or active/real-time control over DNS records). In that other discussion the proposed standard DNS-PERSIST-01 is mentioned, but that is a draft/proposal only, there is no certainty that this will make it to an actual standard, and after that it will take time for CA's to implement/offer this.

I'm using myself the ClearPass APIs to request the certificates on a system that has external DNS control, requests a wildcard via ACME, then pushes that to ClearPass, and renew the certificate every 50 days and do the same again. But that's something custom built around certbot, bind9 and python/ClearPass APIs, running on the authoritative DNS server for my domains, so not really easy to replicate.

I've heard that this topic is 'on the radar' for product management; but as this is future looking, and it's not trivial how to solve the challenge, it's not possible to publicly discuss what's planned. You may contact your local HPE Networking contacts if you need more information.

What is the status of SEC-I-726 in light of Moving to 199-day validity for public TLS certificates and the rapid schedule of maximum validity reductions?

Hi Man,

Aruba has opened a feature request (SEC-I-726) to provide native PKI enrollment for RADIUS/EAP certs and ACME support for HTTP/TLS certs, though it remains in "future consideration." You can review and up-vote it here:

https://innovationzone.arubanetworks.hpe.com/ideas/SEC-I-726

In the meantime, the recommended approach is to script certificate issuance and renewal via the ClearPass REST API.

Here's the reference to that as well from the developer site:

https://developer.arubanetworks.com/cppm/reference/certificatebycertificate_idget

Best regards,
Vigan

Original Message:
Sent: Jun 18, 2025 11:18 AM
From: hornp
Subject: Server Certificates management in ClearPass

Hey everyone,

I've been working on certificates for some time now, and I wanted to ask here about what might be developing with regard to the server certificates. Getting certificates into ClearPass is not difficult, but there are a lot of options and ways that can go wrong. Even for someone familiar with the platform, the yearly cycle of replacing the various certs can be a chore.
Would love to set up a process that can get the radius cert from my PKI automatically, and if the HTTP cert could use the ACME protocol... I know there are lots of moving parts there, but I'd love to see some progress.

The browser certs will be 47 days in a few years (2029) but it'll start with 200 days next year. Is there any plan to implement some automation into the process of getting certs soon?

You can't even get permission to release it as unsupported on something like GitHub?  It would really be helpful!

-Neil

For legal reasons, I'm not allowed to share code; but I can explain the strategy.

I have a Linux server, that is internet reachable, and there I created a bash shell script to run certbot to get the certificates from Let's Encrypt. For HTTP validation checking that's:

certbot certonly --key-type ecdsa --cert-name ${FNAME} --webroot --renew-by-default --text --agree-tos --no-eff-email --email ${EMAIL} --webroot -w /var/www/ -d ${DOMAINS}

For the DNS validation (wildcards), it's:

certbot certonly --key-type ecdsa --cert-name ${FNAME} --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --renew-by-default --no-eff-email --manual --preferred-challenges dns --manual-auth-hook "/usr/local/sbin/letsencrypt-dns-add.sh" --manual-cleanup-hook "/usr/local/sbin/letsencrypt-dns-remove.sh" -d "${DOMAINS}"

The /usr/local/sbin/letsencrypt-dns-add.sh script adds a TXT record to the zone with the value of the environment variable CERTBOT_VALIDATION (and the zone is is CERTBOT_DOMAIN. It reloads the zone, so the zone is active. Also, I created a subzone specifically for the _acme-challenge.<domain> which is referred to from the main domain with just a single A record to this specific server; to avoid delays in the domain replication.

The certificate is then stored as a .p12, in my case to a location that is accessible over HTTPS. Then I have an internal Linux system that has access to both ClearPass and that webserver. On there I have a python script, which I think is based on one of the sample scripts on https://github.com/aruba/ but probably pyclearpass would be able to do the same job.

That script first checks/retrieves the certificate from the external webserver (p12 format).

Then it requests an access token to the API; then retrieves the uuid for all servers in the cluster: GET https://{clearpass_fqdn}/api/cluster/server; then it iterates through all the nodes, and requests the current installed server certificate: GET https://{clearpass_fqdn}/api/server-cert/name/{uuid}/HTTPS(ECC) which returns JSON with a field expiry_date.

Compare the expiration dates from the installed one with the downloaded one; if it's different, PUT to https://{clearpass_fqdn}/api/server-cert/name/{uuid}/HTTPS(ECC) with JSON body = {'pkcs12_file_url': cert_url, 'pkcs12_passphrase': cert_password}

ClearPass will then retrieve the certificate directly from my external webserver, and install it as HTTP(ECC) certificate.

Hope this helps, and maybe someone non-HPE or authorized can share working code for it. 

I can see the status is 'Valid and for future consideration'. 

Based on different discussions on this topic, it's not really possible/feasible at this moment to implement automatic certificate renewal for products that are not exposed to the internet (inbound traffic allowed from the internet; or active/real-time control over DNS records). In that other discussion the proposed standard DNS-PERSIST-01 is mentioned, but that is a draft/proposal only, there is no certainty that this will make it to an actual standard, and after that it will take time for CA's to implement/offer this.

I'm using myself the ClearPass APIs to request the certificates on a system that has external DNS control, requests a wildcard via ACME, then pushes that to ClearPass, and renew the certificate every 50 days and do the same again. But that's something custom built around certbot, bind9 and python/ClearPass APIs, running on the authoritative DNS server for my domains, so not really easy to replicate.

I've heard that this topic is 'on the radar' for product management; but as this is future looking, and it's not trivial how to solve the challenge, it's not possible to publicly discuss what's planned. You may contact your local HPE Networking contacts if you need more information.

What is the status of SEC-I-726 in light of Moving to 199-day validity for public TLS certificates and the rapid schedule of maximum validity reductions?

Hi Man,

Aruba has opened a feature request (SEC-I-726) to provide native PKI enrollment for RADIUS/EAP certs and ACME support for HTTP/TLS certs, though it remains in "future consideration." You can review and up-vote it here:

https://innovationzone.arubanetworks.hpe.com/ideas/SEC-I-726

In the meantime, the recommended approach is to script certificate issuance and renewal via the ClearPass REST API.

Here's the reference to that as well from the developer site:

https://developer.arubanetworks.com/cppm/reference/certificatebycertificate_idget

Best regards,
Vigan

Original Message:
Sent: Jun 18, 2025 11:18 AM
From: hornp
Subject: Server Certificates management in ClearPass

Hey everyone,

I've been working on certificates for some time now, and I wanted to ask here about what might be developing with regard to the server certificates. Getting certificates into ClearPass is not difficult, but there are a lot of options and ways that can go wrong. Even for someone familiar with the platform, the yearly cycle of replacing the various certs can be a chore.
Would love to set up a process that can get the radius cert from my PKI automatically, and if the HTTP cert could use the ACME protocol... I know there are lots of moving parts there, but I'd love to see some progress.

The browser certs will be 47 days in a few years (2029) but it'll start with 200 days next year. Is there any plan to implement some automation into the process of getting certs soon?

Unfortunately no. Otherwise I would have done that without any doubt.

You can't even get permission to release it as unsupported on something like GitHub?  It would really be helpful!

-Neil

For legal reasons, I'm not allowed to share code; but I can explain the strategy.

I have a Linux server, that is internet reachable, and there I created a bash shell script to run certbot to get the certificates from Let's Encrypt. For HTTP validation checking that's:

certbot certonly --key-type ecdsa --cert-name ${FNAME} --webroot --renew-by-default --text --agree-tos --no-eff-email --email ${EMAIL} --webroot -w /var/www/ -d ${DOMAINS}

For the DNS validation (wildcards), it's:

certbot certonly --key-type ecdsa --cert-name ${FNAME} --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --renew-by-default --no-eff-email --manual --preferred-challenges dns --manual-auth-hook "/usr/local/sbin/letsencrypt-dns-add.sh" --manual-cleanup-hook "/usr/local/sbin/letsencrypt-dns-remove.sh" -d "${DOMAINS}"

The /usr/local/sbin/letsencrypt-dns-add.sh script adds a TXT record to the zone with the value of the environment variable CERTBOT_VALIDATION (and the zone is is CERTBOT_DOMAIN. It reloads the zone, so the zone is active. Also, I created a subzone specifically for the _acme-challenge.<domain> which is referred to from the main domain with just a single A record to this specific server; to avoid delays in the domain replication.

The certificate is then stored as a .p12, in my case to a location that is accessible over HTTPS. Then I have an internal Linux system that has access to both ClearPass and that webserver. On there I have a python script, which I think is based on one of the sample scripts on https://github.com/aruba/ but probably pyclearpass would be able to do the same job.

That script first checks/retrieves the certificate from the external webserver (p12 format).

Then it requests an access token to the API; then retrieves the uuid for all servers in the cluster: GET https://{clearpass_fqdn}/api/cluster/server; then it iterates through all the nodes, and requests the current installed server certificate: GET https://{clearpass_fqdn}/api/server-cert/name/{uuid}/HTTPS(ECC) which returns JSON with a field expiry_date.

Compare the expiration dates from the installed one with the downloaded one; if it's different, PUT to https://{clearpass_fqdn}/api/server-cert/name/{uuid}/HTTPS(ECC) with JSON body = {'pkcs12_file_url': cert_url, 'pkcs12_passphrase': cert_password}

ClearPass will then retrieve the certificate directly from my external webserver, and install it as HTTP(ECC) certificate.

Hope this helps, and maybe someone non-HPE or authorized can share working code for it. 

I can see the status is 'Valid and for future consideration'. 

Based on different discussions on this topic, it's not really possible/feasible at this moment to implement automatic certificate renewal for products that are not exposed to the internet (inbound traffic allowed from the internet; or active/real-time control over DNS records). In that other discussion the proposed standard DNS-PERSIST-01 is mentioned, but that is a draft/proposal only, there is no certainty that this will make it to an actual standard, and after that it will take time for CA's to implement/offer this.

I'm using myself the ClearPass APIs to request the certificates on a system that has external DNS control, requests a wildcard via ACME, then pushes that to ClearPass, and renew the certificate every 50 days and do the same again. But that's something custom built around certbot, bind9 and python/ClearPass APIs, running on the authoritative DNS server for my domains, so not really easy to replicate.

I've heard that this topic is 'on the radar' for product management; but as this is future looking, and it's not trivial how to solve the challenge, it's not possible to publicly discuss what's planned. You may contact your local HPE Networking contacts if you need more information.

What is the status of SEC-I-726 in light of Moving to 199-day validity for public TLS certificates and the rapid schedule of maximum validity reductions?

Hi Man,

Aruba has opened a feature request (SEC-I-726) to provide native PKI enrollment for RADIUS/EAP certs and ACME support for HTTP/TLS certs, though it remains in "future consideration." You can review and up-vote it here:

https://innovationzone.arubanetworks.hpe.com/ideas/SEC-I-726

In the meantime, the recommended approach is to script certificate issuance and renewal via the ClearPass REST API.

Here's the reference to that as well from the developer site:

https://developer.arubanetworks.com/cppm/reference/certificatebycertificate_idget

Best regards,
Vigan

Original Message:
Sent: Jun 18, 2025 11:18 AM
From: hornp
Subject: Server Certificates management in ClearPass

Hey everyone,

I've been working on certificates for some time now, and I wanted to ask here about what might be developing with regard to the server certificates. Getting certificates into ClearPass is not difficult, but there are a lot of options and ways that can go wrong. Even for someone familiar with the platform, the yearly cycle of replacing the various certs can be a chore.
Would love to set up a process that can get the radius cert from my PKI automatically, and if the HTTP cert could use the ACME protocol... I know there are lots of moving parts there, but I'd love to see some progress.

The browser certs will be 47 days in a few years (2029) but it'll start with 200 days next year. Is there any plan to implement some automation into the process of getting certs soon?

I "found" the following github repo that everyone here might be interested in: https://github.com/Pack3tL0ss/clearpass-api-scripts

It will take a certificate from a web server and install it on your clearpass server. It assumes you have found a way to get a certificate on to the web server. Which can be done   with an ACME compatible client such as certbot (https://github.com/certbot/certbot).

I haven't tested it yet, but will be soon!

-Neil

Unfortunately no. Otherwise I would have done that without any doubt.

You can't even get permission to release it as unsupported on something like GitHub?  It would really be helpful!

-Neil

For legal reasons, I'm not allowed to share code; but I can explain the strategy.

I have a Linux server, that is internet reachable, and there I created a bash shell script to run certbot to get the certificates from Let's Encrypt. For HTTP validation checking that's:

certbot certonly --key-type ecdsa --cert-name ${FNAME} --webroot --renew-by-default --text --agree-tos --no-eff-email --email ${EMAIL} --webroot -w /var/www/ -d ${DOMAINS}

For the DNS validation (wildcards), it's:

certbot certonly --key-type ecdsa --cert-name ${FNAME} --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --renew-by-default --no-eff-email --manual --preferred-challenges dns --manual-auth-hook "/usr/local/sbin/letsencrypt-dns-add.sh" --manual-cleanup-hook "/usr/local/sbin/letsencrypt-dns-remove.sh" -d "${DOMAINS}"

The /usr/local/sbin/letsencrypt-dns-add.sh script adds a TXT record to the zone with the value of the environment variable CERTBOT_VALIDATION (and the zone is is CERTBOT_DOMAIN. It reloads the zone, so the zone is active. Also, I created a subzone specifically for the _acme-challenge.<domain> which is referred to from the main domain with just a single A record to this specific server; to avoid delays in the domain replication.

The certificate is then stored as a .p12, in my case to a location that is accessible over HTTPS. Then I have an internal Linux system that has access to both ClearPass and that webserver. On there I have a python script, which I think is based on one of the sample scripts on https://github.com/aruba/ but probably pyclearpass would be able to do the same job.

That script first checks/retrieves the certificate from the external webserver (p12 format).

Then it requests an access token to the API; then retrieves the uuid for all servers in the cluster: GET https://{clearpass_fqdn}/api/cluster/server; then it iterates through all the nodes, and requests the current installed server certificate: GET https://{clearpass_fqdn}/api/server-cert/name/{uuid}/HTTPS(ECC) which returns JSON with a field expiry_date.

Compare the expiration dates from the installed one with the downloaded one; if it's different, PUT to https://{clearpass_fqdn}/api/server-cert/name/{uuid}/HTTPS(ECC) with JSON body = {'pkcs12_file_url': cert_url, 'pkcs12_passphrase': cert_password}

ClearPass will then retrieve the certificate directly from my external webserver, and install it as HTTP(ECC) certificate.

Hope this helps, and maybe someone non-HPE or authorized can share working code for it. 

I can see the status is 'Valid and for future consideration'. 

Based on different discussions on this topic, it's not really possible/feasible at this moment to implement automatic certificate renewal for products that are not exposed to the internet (inbound traffic allowed from the internet; or active/real-time control over DNS records). In that other discussion the proposed standard DNS-PERSIST-01 is mentioned, but that is a draft/proposal only, there is no certainty that this will make it to an actual standard, and after that it will take time for CA's to implement/offer this.

I'm using myself the ClearPass APIs to request the certificates on a system that has external DNS control, requests a wildcard via ACME, then pushes that to ClearPass, and renew the certificate every 50 days and do the same again. But that's something custom built around certbot, bind9 and python/ClearPass APIs, running on the authoritative DNS server for my domains, so not really easy to replicate.

I've heard that this topic is 'on the radar' for product management; but as this is future looking, and it's not trivial how to solve the challenge, it's not possible to publicly discuss what's planned. You may contact your local HPE Networking contacts if you need more information.

What is the status of SEC-I-726 in light of Moving to 199-day validity for public TLS certificates and the rapid schedule of maximum validity reductions?

Hi Man,

Aruba has opened a feature request (SEC-I-726) to provide native PKI enrollment for RADIUS/EAP certs and ACME support for HTTP/TLS certs, though it remains in "future consideration." You can review and up-vote it here:

https://innovationzone.arubanetworks.hpe.com/ideas/SEC-I-726

In the meantime, the recommended approach is to script certificate issuance and renewal via the ClearPass REST API.

Here's the reference to that as well from the developer site:

https://developer.arubanetworks.com/cppm/reference/certificatebycertificate_idget

Best regards,
Vigan

Original Message:
Sent: Jun 18, 2025 11:18 AM
From: hornp
Subject: Server Certificates management in ClearPass

Hey everyone,

I've been working on certificates for some time now, and I wanted to ask here about what might be developing with regard to the server certificates. Getting certificates into ClearPass is not difficult, but there are a lot of options and ways that can go wrong. Even for someone familiar with the platform, the yearly cycle of replacing the various certs can be a chore.
Would love to set up a process that can get the radius cert from my PKI automatically, and if the HTTP cert could use the ACME protocol... I know there are lots of moving parts there, but I'd love to see some progress.

The browser certs will be 47 days in a few years (2029) but it'll start with 200 days next year. Is there any plan to implement some automation into the process of getting certs soon?