Security

Reply
Occasional Contributor II
Posts: 12
Registered: ‎10-08-2014

wildcard

/Hi All -

 

I am looking for a way to use a wildcard in ClearPass.  When I am creating the CSR from CP, I am trying to use *.domainname.com in the common name field, and it doesnt like it.  Typically, and in the past of using GoDaddy certis, I need to use or create a cert with the "*" in the leading container for this to work.

 

Anyone have any idea what to place in the CSR when using a wildcard cert?? 

Guru Elite
Posts: 8,634
Registered: ‎09-08-2010

Re: wildcard

Is this for RADIUS or https?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 12
Registered: ‎10-08-2014

Re: wildcard

https

Guru Elite
Posts: 8,634
Registered: ‎09-08-2010

Re: wildcard

You'll need to create a CSR from another system to use a wildcard (IIS, OpenSSL, etc).


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 12
Registered: ‎10-08-2014

Re: wildcard

Just dandy - atleast my MAC has OpenSSL ready to go!

 

Thanks!

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: wildcard

You can also put the wildcard in the Subject Alternative Name field within the CPPM CSR creation:

 

CN=         server.domain.com

SAN=       DNS:*.domain.com

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 12
Registered: ‎10-08-2014

Re: wildcard

[ Edited ]

All - I figured this out, a bit intersting, but nonetheless....

 

When you use a certifcate created off of the controller and need to import, I had to chain the certificate and the private key together and export as a PFX type certificate.  So, if you dowload a certificate from godaddy you will get teh cert and the gd_bundle cert (you will need this as well).  

 

Once you have the two certificates from GoDaddy, you need to use OpenSSL (I am on a MAC and it's already there).  I then ran the following:

 

openssl pkcs12 -export -out glcwild.pfx -inkey glcwild.key -in glcwild.crt -certfile gd_bundle-g2-g1.crt

 

So below are the key exaplanations:

 

glcwild.pfx:   (output key generated by running the above

glcwild.key:  (private key generated from the CSR in from OpenSSL)

glcwild.crt:    (the cert that was sent to me from GoDaddy)

gd_buindle-g2-g1.crt:  (the GD intermediate certificate sent with the cert)

 

So - if you want to install a wildcard, for example, across your controllers below would be the steps:

 

1. use a tool like OpenSSL anc create a CSR / Private key (see example below)

      openssl req -nodes -newkey rsa:2048 -sha1 -keyout glcwild.key -out glcwild.csr

 

2. Take the .csr (created above) and go to an SSL certificate authority (Godaddy, Verisign, etc)

 

3. Upload the .csr to the and "strike" it against the certificate authority (CA) to create the certifciate you need

 

4. Complete the CA's requirements to prove identity (if needed)

 

5. run the above OpenSSL command to combine "chain" your private key and certificate into a single PFX file for the controller to use.

 

6. Install the GD Bundle .crt to the controller (not sure if this is needed, but I did anyway)

 

7. Install the new .pfx file into the controller (in webUI:  Configuration> Management> Certificates> Upload (be sure to change type to PFX, and keep track of the name you give it)

 

8. Once you import, you will have to tell the webserver to use that certificate using the CLI (see below)

      SSH to Controller > configure terminal>enable> type: web-server > type: switch-cert <name you gave cert above in step 7>

 

**Edited / added steps 7 and 8 after initial post**

 

If you attempted to mess around (as I did) and you played to try and see if you could get it, I accidentally created a CSR on the controller.  If you did this, you will need to run the following command on the CLI of the controller:    restore factory_default certificate.

 

This will delete the CSR and now will allow you to upload the certificates.

 

I hope this helps someone else. Cetificates and SSL can be a pain in the neck.  Each vendor has their own way, but most will allow you to import a .crt and the private .key together and they will do the chaining.  It just looks as if Aruba's Controllers want you to chain them first!

 

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: