Frequent Contributor I

Clearpass https certificate SAN



i have the following on my Aruba controller :


login-page ""


Whenever a user connects his browser gets a warning in IE or Chrome because the Clearpass server https certificate has CN=wifi-003 instead of  It is possible to continue, but not a nice setup.


The logical solution would be to create a selfsigned certificate, register the name in dns.

Here comes the problem...  The certificate signing server is in a domain, which is not externally available.  So let's assume it's in domain  This domain is only available internal.

So i could create a selfsigned certificate, change the login-page to :


login-page ""


but nobody could resolve it since the guest network only has Google's dns servers for resolving.


I do not have any detail what a browser verifies, but i assume creating a selfsigned certificate on the certificate server in domain with also would not work?


I noticed however the SAN option in the CSR is available in Clearpass.  Can this one be used to specify a FQDN which we do own?  And then specify that FQDN in the login-page?  

Guru Elite

Re: Clearpass https certificate SAN



There are two requirements for the message not to show up.:


1 - The Client Trusts the Certificate or the CA that issued the certificate

2 - The SAN matches the redirect address


For #1, you need a public certificate.  For #2, you need a cert with a proper SAN fqdn.  Unfortunately, public CAs only issue public certificates for domains that you own publicly, so you must own the domain to get a public fqdn certificate for it.  Please see "CA changes for Internal FQDN’s and RFC1918" in the 

Certificates 101 Technote here



*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Guru Elite

Re: Clearpass https certificate SAN

For the DNS issue, you have two options:

- Add ClearPass IP to public DNS

- Utilize the DNS proxy feature of your upstream router

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: