Security

Reply
Super Contributor II

CPPM and Commercial Certificate Recommendations

Hello,

 

We are looking at getting a Commercial Certificate for our CPPM. This will be our first Commercial Certificate so we want to make sure we get the right one.

 

Our setup is as follows:

  • We have two CPPM's which will be clustered
  • Hostnames (examples) - CPPM 1: cppm1.server.com, CPPM 2: cppm2.server.com
  • The two CPPM's are in different physical locations
  • We will be using a common DNS name to resolve to the correct CPPM depending upon where you are - cppm.server.com

We have been looking at the certificates offered by Verisign. But we are not 100% sure on what kind of certificate we should be purchasing. I think we will need two certificates, one for each CPPM, but how will the protection of the URL work? The option for Verisign called Secure Site SSL Certificates seems to be an option that makes sense for our scenario. But we are still not 100% sure.

Is there any documentation from Aruba that talks specifically about the type of certificate we should be looking at? Or what the certificate should cover in terms of URLs?

 

Hopefully my question makes sense. I am still learning about Certificates and how they are to be setup.

 

Thank you,

 

Cheers

MVP

Re: CPPM and Commercial Certificate Recommendations

I'd get the cert you're talking about (we get ours from GoDaddy -- not a plug, just a note that we haven't had any problems, and they weren't too expensive) but use the Common Name = cppm.whatever.com and then declare Subject Alternative Names = cppm1 and cppm2 etc.

 

This way you can use the same cert on both servers (I think -- someone will correct me if I'm getting this wrong!)

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Super Contributor II

Re: CPPM and Commercial Certificate Recommendations

Hey msabin,

 

Thank you for your response!

I didn't realize we may be able to get away with only one certificate that is great!

 

Out of curiousity, have your used your GoDaddy cert with Apple devices?

I know that in order to use HTTPS in the Onboarding process with Apple devices we need a commerical cert. and I thought I heard heard Apple can even be picky about the commercial cert.

So just want to make sure GoDaddy will work okay with the Apple devices.

 

Thanks again the information!

 

Cheers

Frequent Contributor I

Re: CPPM and Commercial Certificate Recommendations

I can confirm that GoDaddy certs will work for Apple device onboarding under ClearPass 6.1.   There was an issue with iOS onboarding using GoDaddy certs in CP 6.0 because the GoDaddy root CA was missing a Common Name.  This has been fixed in the latest version of ClearPass.

 

 

Super Contributor II

Re: CPPM and Commercial Certificate Recommendations

Thanks xdrewpjx,

 

Much appreciated for confirming this!

 

GoDaddy seems like the better choice at this point due to their pricing being way cheaper then Verisign.

Frequent Contributor I

Re: CPPM and Commercial Certificate Recommendations

GoDaddy is certainly the cheapest.  

 

I have also used certs from Digicert, GeoTrust, and Comodo CAs and had no issues with onboarding.  

Super Contributor II

Re: CPPM and Commercial Certificate Recommendations

That is good to know as well. 

This is my first experience with commercial certs. so I am trying to figure out as much detail as possible!

 

Would you be able to elaborate on how you setup the commercial cert. on your CPPM?

 

Is it just a simple process? After your get your commercial cert. you just import it under the CPPM as the Server Cert?

When you import it does it show the entire trust chain?

Aruba

Re: CPPM and Commercial Certificate Recommendations

Not all vendors will send you a cert that has the full trust chain. You will need to combine the certs if it does not. 

 

-----BEGIN CERTIFICATE-----

... (certificate for your server)...

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

... (the intermediate certificate)...

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

... (the root certificate for the CA)...

-----END CERTIFICATE-----

 

You will also need to add the root and intermediate (if there is one) to the CPPM certificate trust list

 

Administration » Certificates » Trust List

 

For testing purposes I use https://www.startssl.com/ 

 

If you own the domain and can verify you own it then you can get a free public cert. ""again this if for testing"" They do not combine the chain so you will need to do that yourself.

 

certchain.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II

Re: CPPM and Commercial Certificate Recommendations

Hey tarnold,

 

Wow thats amazing! thanks for the screenshot!

I think that makes sense to me!

 

We do have a test environment so it might be really useful for us to try out this startssl just as a test to see how things will go before moving into production.

 

When you say "You will also need to add the root and intermediate (if there is one)...." are you referring to the section on the CPPM under CPPM > Administration > Certificates > Trust List ?

Aruba

Re: CPPM and Commercial Certificate Recommendations

That is for both..

 

Trust list and when you import the certificate into the CPPM. Remember you only need a public cert on the CPPM side. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: