Network Management

Hi all,

 

After reading the Clearpass 6.7 deployment guide and other associated documents, installing  a Public Certificate cluster wide is as clear as mud.

 

With previous versions of clearpass when creating a CSR you could download both the CSR and the private key, this would then allow the created certificate file to be imported along with the private key to all cluster members.

 

CPPM 6.7 does not seem to allow the export of the private key therefore the question is, if a CSR is created on the cluster master and the subsequent ceritificate is imported to the cluster master does this replicate cluster wide? or is there an alternate methodology for 6.7?

 

Many thanks

 

Dave

Create the CSR on another machine. Then you have the CSR and private key.

E.g. use openssl on your computer to generate the CSR and private key.

Check here for the commands to use. https://www.sslshopper.com/article-most-common-openssl-commands.html

HI James,

 

Thanks for that swift reply, makes perfect sense! & very helpful

 

Thanks again

 

Dave

Hi,

No problem. Bookmark that openssl guide! It's great one.

Just to be clear, the private key can be exported after installing the signed certificate. There is no need to have access to the private key before that.

Hi,

 

Just to be clear does that mean we can export it as pkcs#12 then directly import to the other cluster members?

 

thanks

 

Dave

Yes.

 

"Just to be clear does that mean we can export it as pkcs#12 then directly import to the other cluster members?"

I have my signed request, CP 6.7 complains that I need to the private key when trying to import they signed cert. What am I missing here? Any help would be appreciated, TAC was not able to help me today on this subject matter. They advised that I need to go back to GoDaddy and ask for a different certificate. I have the bundled .crt file. 

 

Thanks

Where did you generate the CSR?

"I have my signed request, CP 6.7 complains that I need to the private key when trying to import they signed cert. What am I missing here? Any help would be appreciated, TAC was not able to help me today on this subject matter. They advised that I need to go back to GoDaddy and ask for a different certificate. I have the bundled .crt file." 

Same day as receiving the signed cert. last week sometime.

Sorry, I meant to ask whether the CSR was generated in ClearPas server or using any other tool (like open SSL).

CP server.

Okay, ClearPass 6.7 will store only the private key file associated to the latest CSR generated in the server.

And you need to choose the option "Upload Certificate and Use Saved Private Key" when importing the signed cert. 

 

The server will prompt for private key when the stored private key is not matching the signed cert.

In such case, you would need to generate a new CSR again and get it re-signed and import. 

Always use the latest CSR from the server.  The server will not keep the private keys associated to the old/earlier CSRs.

---

@cappalli wrote:
Just to be clear, the private key can be exported after installing the signed certificate. There is no need to have access to the private key before that.

---

Was this documented in the 6.7 Release Notes?

This is a major change from the way things worked from 4.2 until 6.6.

---

@cappalli wrote:
Just to be clear, the private key can be exported after installing the signed certificate. There is no need to have access to the private key before that.

---

I am able to export the certificate as .p12, but then how can I import that onto another server in the cluster? When I try to import .p12 I get an error that the cert format is invalid. 

You select the Upload Method from the Import dialog box.