Security

Hi,

I'm having a problem getting our server cert imported.

We use InCommon certificates on campus. I generated the CSR and private key and sent the CSR to the InCommon cert-manager. I then downloaded the cert when it was ready. During imnport clearpass complained that the cert "muste be added and enabled in the Certificate Trust List". So, I added  and enabled it. The cert shows enabled in the Trust List. However, I am still unable to import the cert. I tried rebooting clearpass to no avail. I will attempt to attach the relevant screen shots.

We're running  6.0.2.51259 on an ClearPass hardware appliance.

Any thoughts suggestions would be appreciated.

MIke

It's hard to see from the screenshot, but are the  AddTrust External Root CA and InCommon Intermediate certs enabled?

Mike, the certificate you enabled and show in your screenshot from the Certificate Trust List  looks to be the certificate for your appliance (the DN is CN=clearpass1.oit.umass.edu......etc.).    You want to add the Root CA and any Intermediate CAs into the Certificate Trust List; and make sure they are enabled.    Then import the appliance certificate.

I believe your chain will consist of the following if you didn't download the chain when creating your certificate:

• AddTrustExternalCARoot:  https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=10&nav=0,1
• Intermediate/Issuing CA - https://www.incommon.org/cert/repository/InCommonServerCA.pem

So I imported the AddTrustExternalCARoot and Intermediate/Issuing CA into the Certificate Trust List using the links you sent and that worked (!) - I am now able to successfully import my appliance cert.

But, is this legitimate to do or did I just create a security hole using (apparently) freely available CAs? I think I'm a bit confused on the public vs generated aspect of certs.

Are these acceptable to use in production or were these "generic" or "test" CAs?

BTW, you are right, I didn't download the chain when creating your certificate.

Thanks for the help...finger is hovering above the Kudos button!

-Mike

You are just importing the complete certificate chain. There is no security issue. Your certificate is trusted through the intermediate certificate which is trusted through the Root CA.

I believe AddTrust CA is built-in and just needs to be enabled.

Tim

I did enable the one built-in AddTrust CA but it didn't work. After importing the AddTrust CA from the link that clembo offered I now see two separate AddTrust certs in the Trust List. There may have been other reasons for the previous fail (didn;t have the InCommon root CA either).

Thanks everyone for your help! This did the trick and I appear to be A-ok with my InCommon cert now!!

-Mike

Mike, the certificates you loaded are public certs, there is no security risk.   You need them in ClearPass (and any device for that matter) because ClearPass has to trust who signed its own certificate.  By installing/enabling them, you are telling ClearPass you trust those issuers; thus you can import the certificate.        Clients typically will validate the certificate chain to ensure the validity of your certificate; but that is independent of you adding those in.

Thanks for this. I actually looked back at my InCommon email containing the cert and see that there are separate links for "cert only" or "cert plus intermediate" including a reversed version of the latter. It's possible the built-in AddTrust intermediate would have sufficed but it may not have. We had issues last summer with Apple not including the particular AddTrust cert we used witn InCommon in their cert store after their 10.8 upgrade. I believe that issue was eventually resolved by Apple adding the cert natively.

Thanks again for your superior assistance!!