AAA, NAC, Guest Access & BYOD

Q:

Support RSA and ECC HTTPS server certificates in CPPM

• ClearPass Policy Manager Version 6.10 now supports two different types of HTTPS certificates, HTTPS(ECC) and HTTPS(RSA). These certificate types can be created and managed at Administration > Certificates > Certificate Store.

--> HTTPS (ECC) Server Certificates (HTTPS using Elliptic Curve Cryptography)

--> HTTP(RSA) Server Certificates (HTTPS using RSA Cryptography)

• We can look at the field "Public Key Algorithm" by clicking on "View Details" in the certificate to find the type of encryption/HTTPS server certificate used currently

• If your deployment used an HTTPS certificate with an ECC key type in previous versions of Policy Manager, then when upgrading to Policy Manager 6.10, a self-signed RSA certificate will be generated for HTTPS(RSA) and the old ECC certificate will be migrated to HTTPS(ECC). In this scenario, after migration, the HTTPS(RSA) will be disabled and only the HTTPS(ECC) certificate will only be enabled.
• If your deployment used an HTTPS certificate with an RSA key type in previous versions of Policy Manager, then when upgrading to Policy Manager 6.10, a self-signed ECC certificate will be generated for HTTPS(ECC) and the old RSA certificate will be migrated to HTTPS(RSA). In this scenario, after migration, the HTTPS(ECC) will be disabled and only the HTTPS(RSA) certificate will only be enabled.
• HTTPS(ECC) and HTTPS(RSA) certificates can be enabled or disabled, but both certificate types cannot be disabled at the same time.
• If both HTTPS(EEC) and HTTPS(RSA) Certificates are enabled, any client that supports ECC ciphers will get HTTPS(ECC) certificates when contacting ClearPass. If you enable ECC Certificates, client trust lists should be updated accordingly.
• RSA certificate will be used for the rest of the communication.