Security

Reply
Occasional Contributor II

Public certificate for ClearPass Cluster

Hi,
I have 2 Clearpass nodes with pub and sub with L3 connectivity. I want to generate CSR for public HTTPS certificate and also I want to use same certificate for both Clearpass nodes so what I should mention in CN field as I am not going to use VIP. Is it fine to keep CN blank and add pub-sub fqdn and IP addresses in SAN field . Plz give me answer of my query with example.

Guru Elite

Re: Public certificate for Clearpass Cluster

You need to have a common name in your certificate. The CN is also presented to clients when using tunneled EAP. Use something generic like "clearpass.yourdomain.xyz".

 

Also, there are very few use cases that require IP address in the certificate.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Public certificate for Clearpass Cluster

Hi Cappali,

 

I am using Symantec PKI service and tried to generate certificate with CSR configuration as below (reference url https://community.arubanetworks.com/t5/Security/Certificate-Question-Two-CPPM-each-in-different-locations-using/td-p/159604  message no 6 )

 

CN : CPPM1.ABC.COM 

 

SAN:DNS:CPPM1.LOCAL,DNS:CPPM2.LOCAL,DNS:CPPM1.ABC.COM,DNS:CPPM2.ABC.COM,IP:192.168.x.x,IP:192.168.x.x

 

There is no rechability to CPPM Public FQDN as i am using private ip address for this. 

 

While i am generating the certificate with Symantec for above CSR , it gives me below error

 

"cannot process IP addresses nor nonpublic reachable FQDNs.

I attempted removing the IP but getting same error.

 

 

 

Guru Elite

Re: Public certificate for Clearpass Cluster

A public domain is required for a public CA-signed certificate. That does not mean ClearPass actually needs to be public facing.

Also, in 90% of use cases, you don't need to add the IP address to the cert. What are you planning to use IP for? (as a side note, you can not use RFC1918 space in a public CA-signed certificate).


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Public certificate for Clearpass Cluster

Actually i am following dannys CPPM-Certificate 101 technote and where i  seen that IP addresses has added in SAN field so i have added in my CSR too.

 

What i should do to resolve this issue and generate the Certificate?

 

 

Guru Elite

Re: Public certificate for Clearpass Cluster

Remove the IPs and be sure you only have public FQDNs with publicly registered domains in your certificate.

Also, the common name of your cert should either be something generic (clearpass.domain.com) or the name you’ll using for a VIP.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Public certificate for Clearpass Cluster

PUB-SUB connected with L3 network so i am not using VIP here.

 

As you mentioned that only have public fqdn with publicly registered domain so shall i remove my CPPM local fqdn entried from SAN field.

 

Which CSR configuration shall i use from below

1) 

CN : CPPM1.ABC.COM 

 

SAN:DNS:CPPM1.LOCAL,DNS:CPPM2.LOCAL,DNS:CPPM1.ABC.COM,DNS:CPPM2.ABC.COM

 

2)

CN : CPPM1.ABC.COM 

 

SAN:DNS:CPPM1.ABC.COM,DNS:CPPM2.ABC.COM

 

 

Guru Elite

Re: Public certificate for Clearpass Cluster

You’ll have to use option 2

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: