Security

Reply
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

3 Certs Prompted to Install for Onboard

My CPPM is signed by a Root CA that has a intermediate CA. I am using onboard CA for another network, however during the quick connect process I was prompted to install 3 certs. The 1st cert is the Root CA that signed my CPPM, 2nd cert being the intermediate CA and lastly the onboard CA. Is it the normal behavior? Why is there a need to install the Root CA and Intermediate RA that signed my CPPM? I am pretty sure that I only need the onboard Root CA since onboard configure my network settings such that only my onboard CA is ticked for the verify server's identity. Please englighten me. Thanks

Guru Elite
Posts: 8,192
Registered: ‎09-08-2010

Re: 3 Certs Prompted to Install for Onboard

Yes this is normal. Root, Intermediate and client cert. You need the full chain since they're privately signed and your machine doesn't have them OOTB.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: 3 Certs Prompted to Install for Onboard

I am a bit confused. I thought that since my onboard CA is configured as Root CA and onboard generate client cert via this Root CA, it's not related to the other root CA that signed my CPPM. The client trust chain is actually just the onboard CA and signing. please correct my understand. thanks
Guru Elite
Posts: 8,192
Registered: ‎09-08-2010

Re: 3 Certs Prompted to Install for Onboard

The client cert is signed by a signing cert which is signed by the root CA.

The RADIUS server certificate gets installed to prevent any weird client supplicant issues such as cross-signed intermediates and server certs.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: 3 Certs Prompted to Install for Onboard

thanks Tim for the explanation. but may I know if the client uses the radius server certificate? I don't think (can't confirm) that the radius server certs (root and intermediate CA) are ticked in the client's list of trusted CA (Base on quick connect party provisioning) . If that's the case, if I were to manually delete the cert, it will work too right?
Guru Elite
Posts: 8,192
Registered: ‎09-08-2010

Re: 3 Certs Prompted to Install for Onboard

Yes, it should select the RADIUS server cert in that case. Any of the three certs *SHOULD* work. Some devices are more finicky than others.



Sent from Mail for Windows 10

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: 3 Certs Prompted to Install for Onboard

what if my CPPM uses a self signed cert? I have not tested, but base on your explanation, can I say that I will be prompted to install both the onboard root CA as well as the CPPM self signed cert? 

Guru Elite
Posts: 8,192
Registered: ‎09-08-2010

Re: 3 Certs Prompted to Install for Onboard

Yes

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: