Security

Reply
Regular Contributor II
Posts: 240
Registered: ‎09-11-2013

Onboard cert that includes the root CA

Hi Forum,

 

I usually deploy onboarding with clearpass as the root CA for the users certs it issues. I want to know if there is a way that I can include companyX root CA in the client cert but have clearpass be the issuer still?! 

 

is that possible?

Guru Elite
Posts: 8,453
Registered: ‎09-08-2010

Re: Onboard cert that includes the root CA

ClearPass can issue certs on behalf of Active Directory Certificate Services either as an intermediate or registration authority.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor II
Posts: 240
Registered: ‎09-11-2013

Re: Onboard cert that includes the root CA

I guess I should've asked for "how to" I kinda know that it can "issue certs on behalf of Active Directory Certificate Services either as an intermediate or registration authority."

 

I'm just not sure how!

Regular Contributor II
Posts: 240
Registered: ‎09-11-2013

Re: Onboard cert that includes the root CA

I also tried looking at the tech notes but all I can find is either clearpass is the issuing and signing CA or clearpass requests a cert from AD on behalf of the users. Can't find something for having clearpass issuing the cert to clients but that certs also includes the root CA for comapnyX!!

I always feel that I'm this one guy that comes up with requests that don't make sense or no need for them LOL

MVP
Posts: 465
Registered: ‎11-04-2011

Re: Onboard cert that includes the root CA

I would ask the requested what functionality he wants to achieve, as the request as defined in your question leaves quite some room for interpretation. You don't include a corporate Root-CA in a client certificate.

 

What are some of the possible questions: 

- Can we issue certificates with Onboard that are trusted by our company Root-CA; the answer to that is yes, and follow the suggestions by Tim: ADCS or sign the Onboard CA as an intermediate. Where I tend to add to such a request that you should be exactly knowing what you are doing as this renders your Onboard in a certificate issuing entity that generates certificates that are company-wide trusted, which in turn may result in providing to much trust/access to those certificates. So, yes it can be done, and no, you probably don't want it unless you have other reasons that some manager asked you to do it. 

- Can we enroll the corporate Root CA to client devices in the Onboarding process? The answer to that is also yes. You can in the Onboard Trust settings select 'manually configure trust settings' which allows you to select one or multiple root CAs that are installed on the client devices. For BYOD, be aware that pushing additional root CAs will allow the company to deploy technologies like SSL interception, which may require explicit consent from the end-user (depending on your local laws).

 

If you can ask, and share the question behind the question (what is the expected functionality), that might help in getting the right answer to the right question.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Search Airheads
Showing results for 
Search instead for 
Did you mean: