Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

3 Certs Prompted to Install for Onboard

This thread has been viewed 0 times

  • 1.  3 Certs Prompted to Install for Onboard

    Posted Oct 27, 2015 12:38 PM

    My CPPM is signed by a Root CA that has a intermediate CA. I am using onboard CA for another network, however during the quick connect process I was prompted to install 3 certs. The 1st cert is the Root CA that signed my CPPM, 2nd cert being the intermediate CA and lastly the onboard CA. Is it the normal behavior? Why is there a need to install the Root CA and Intermediate RA that signed my CPPM? I am pretty sure that I only need the onboard Root CA since onboard configure my network settings such that only my onboard CA is ticked for the verify server's identity. Please englighten me. Thanks



  • 2.  RE: 3 Certs Prompted to Install for Onboard

    EMPLOYEE
    Posted Oct 27, 2015 12:39 PM
    Yes this is normal. Root, Intermediate and client cert. You need the full chain since they're privately signed and your machine doesn't have them OOTB.


    Thanks,
    Tim


  • 3.  RE: 3 Certs Prompted to Install for Onboard

    Posted Oct 27, 2015 01:12 PM
    I am a bit confused. I thought that since my onboard CA is configured as Root CA and onboard generate client cert via this Root CA, it's not related to the other root CA that signed my CPPM. The client trust chain is actually just the onboard CA and signing. please correct my understand. thanks


  • 4.  RE: 3 Certs Prompted to Install for Onboard

    EMPLOYEE
    Posted Oct 27, 2015 01:50 PM
    The client cert is signed by a signing cert which is signed by the root CA.

    The RADIUS server certificate gets installed to prevent any weird client supplicant issues such as cross-signed intermediates and server certs.


    Thanks,
    Tim


  • 5.  RE: 3 Certs Prompted to Install for Onboard

    Posted Oct 27, 2015 09:54 PM
    thanks Tim for the explanation. but may I know if the client uses the radius server certificate? I don't think (can't confirm) that the radius server certs (root and intermediate CA) are ticked in the client's list of trusted CA (Base on quick connect party provisioning) . If that's the case, if I were to manually delete the cert, it will work too right?


  • 6.  RE: 3 Certs Prompted to Install for Onboard
    Best Answer

    EMPLOYEE
    Posted Oct 27, 2015 09:56 PM
    Yes, it should select the RADIUS server cert in that case. Any of the three certs *SHOULD* work. Some devices are more finicky than others.



    Sent from Mail for Windows 10


  • 7.  RE: 3 Certs Prompted to Install for Onboard

    Posted Oct 28, 2015 12:04 PM

    what if my CPPM uses a self signed cert? I have not tested, but base on your explanation, can I say that I will be prompted to install both the onboard root CA as well as the CPPM self signed cert? 



  • 8.  RE: 3 Certs Prompted to Install for Onboard

    EMPLOYEE
    Posted Oct 28, 2015 06:06 PM
    Yes