12-15-2016 04:17 PM
My current RADIUS cert is set to expire in a couple days and Clearpass is giving me the red notification across the top "The RADIUS Server Cert will expire in 2 day(s)". I created a CSR, had it signed by our PKI CA, then imported the cert, private key file and password. On the cert page it shows the cert as valid and the expiration date changed to match the 5-year cert expiration. However, the red warning stating the cert will exire in 2 days is still at the top of the page.
1. Does this cert need to be referenced/changed anywhere else in ClearPass, other than the Server Certificate/RADIUS Certificate page?
2. Will a 5-year web server certificate suffice for the certicate type?
It should be noted that I have a subscriber in the cluster and I changed the cert on that one yesterday and the expiration error message went away. Finding it out of the ordinary that the one on the publisher is staying around.
12-15-2016 04:20 PM
I would open a TAC case just to make sure everything is OK.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
12-19-2016 12:18 AM
This is normal behavior. The certificate warning seems to be generated during the nightly maintenance and disappears again when at the next run it appears that the certificate is valid again. I have not found a way to trigger this, I believe I even restarted the ClearPass appliance without success but the next day the warning was gone after I replaced the cert.
You made a good decision to get a 5-year certificate, as it reduces the maintenance of your certificates. Take the certificate valid as long as possible, at least for RADIUS.
Replacing the certificate with '2 days to go' is risky, as I have seen many cases where the certificate request/issue process can be delayed on formalities like signatures. Most times it will be okay, but you don't want to risk your ClearPass certificate to expire. Bear in mind that some clients with clock offsets (can be days) will not accept the cert when according to their clock the certificate expires. I would try to have your certificate replaced at least a week before expiration, and if possible few hours/days after issuance.
If you have urgent issues, please contact your Aruba partner or Aruba TAC.