Security

Reply
ryh
Contributor II

Wildcard cert will not import without a passphrase

Hi,

 

I have a *.domain.com certificate for HTTPS that was generated without a passphrase to protect the private key.  ClearPass would not import it.

 

Going through openssl to aes256 encrypt the private key with a passphrase worked in the command line, but ClearPass complained, something about the header being invalid.

 

Is there any special signing requirements for being able to import the private key?

Guru Elite

Re: Wildcard cert will not import without a passphrase

Did you try importing a plain text key?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
ryh
Contributor II

Re: Wildcard cert will not import without a passphrase

Yes I've tried: when trying to import the plain-text private key without putting in the passphrase, ClearPass cert import section said "Private Key Password must be specified"

 

ryh
Contributor II

Re: Wildcard cert will not import without a passphrase

A tangential question which may help is: what is the internal SSL/Signing component that ClearPass uses?  Is it OpenSSL?  Maybe there are compatibility issues I could hunt down.

Guru Elite

Re: Wildcard cert will not import without a passphrase

Yes, you need to specify a strong password during import. This will be used to protect the key if exported from the system.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
ryh
Contributor II

Re: Wildcard cert will not import without a passphrase

Yes, I agree about the need for a private key being protected.  However, this private key - as supplied - is not.

 

Importing the plain-text private key didn't work.  So I tried applying a passphrase.

 

ClearPass didn't like the private key after I had it signed with the passphrase.

 

So if there isn't a way around not using a passphrase, is there any guidance on the formatting or header requirements of the private key?

Guru Elite

Re: Wildcard cert will not import without a passphrase

Don't apply a passphrase externally. Upload the clear text key and then enter a passphrase in the box.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
ryh
Contributor II

Re: Wildcard cert will not import without a passphrase

When you do that, it says the "Private Key could not be loaded (password may not be correct)"

 

I think I'll have to try and passphrase encrypt it again from CLI via openSSL.  I just wish I knew what ClearPass was looking for in the Private key.

Guru Elite

Re: Wildcard cert will not import without a passphrase

ClearPass will accept a traditional PKCS#8 key or a PKCS#5 v2.0 encrypted private key (des3)

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
ryh
Contributor II

Re: Wildcard cert will not import without a passphrase

Thanks, that helps. I'll see if I can sort it out.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: