Frequent Contributor I

Clearpass https certificate SAN



i have the following on my Aruba controller :


login-page ""


Whenever a user connects his browser gets a warning in IE or Chrome because the Clearpass server https certificate has CN=wifi-003 instead of  It is possible to continue, but not a nice setup.


The logical solution would be to create a selfsigned certificate, register the name in dns.

Here comes the problem...  The certificate signing server is in a domain, which is not externally available.  So let's assume it's in domain  This domain is only available internal.

So i could create a selfsigned certificate, change the login-page to :


login-page ""


but nobody could resolve it since the guest network only has Google's dns servers for resolving.


I do not have any detail what a browser verifies, but i assume creating a selfsigned certificate on the certificate server in domain with also would not work?


I noticed however the SAN option in the CSR is available in Clearpass.  Can this one be used to specify a FQDN which we do own?  And then specify that FQDN in the login-page?  

Guru Elite

Re: Clearpass https certificate SAN



There are two requirements for the message not to show up.:


1 - The Client Trusts the Certificate or the CA that issued the certificate

2 - The SAN matches the redirect address


For #1, you need a public certificate.  For #2, you need a cert with a proper SAN fqdn.  Unfortunately, public CAs only issue public certificates for domains that you own publicly, so you must own the domain to get a public fqdn certificate for it.  Please see "CA changes for Internal FQDN’s and RFC1918" in the 

Certificates 101 Technote here



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: Clearpass https certificate SAN

For the DNS issue, you have two options:

- Add ClearPass IP to public DNS

- Utilize the DNS proxy feature of your upstream router

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: