Is there a way to generate server certificates in a multi-controller environment?

By esupport posted Jul 30, 2015 08:53 AM


Is there a way to generate server certificates in a multi-controller environment? 


1.  For PEAP, only the Radius Server needs a certificate, not the controller.  Managing a certificate for each controller for 802.1x when you can  alternatively manage a single certificate for each radius server is a mistake.


2.  For Captive Portal, if you don't want your guest or company users to have an untrusted error every time they hit the captive portal you will need a public certificate that all your users will trust.  That could either involve (1) A  different certificate for each controller with the subject being the fqdn of each controller or (2) a single, identical certificate that has the SAN or Subject ALT Name filled out with the FQDN of each controller listed in the SAN field (


Here is an example of a cert with multiple fqdns in the Subject Alternative Name field below:  Of course, you will have to pay for each SAN that you have added to the certificate.  If you will have an environment where you have a VRRP and that is the ip address that the clients will be redirected to, you should make the SAN point to the VRRP.


A document on certificates that is specifically geared toward ClearPass, instead of controllers is here:  Certificates 101 V1.0  It speaks to certificates on ClearPass, but the concepts are the same...



We can use ClearPass server to generate the CSR, where the CN is named after the 1st controller, which included all the Subject Alternate Names (SANs) for the other 3 controllers as well as the master controllers (in case of an N+1 failover).  This allows to save/export the private key as a file.


After submitting the CSR for a UCC and after receiving the cert,  then proceed to chain the cert to include server, all intermediate and root CAs.  Then copy the chained cert as well as the private key file to a MacBook so that we can use OpenSSL to create a PFX formatted cert as follows:


sudo openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.pem


Once this generated a PFX cert,  upload it to all controllers and used it under Configuration > Management > General for both “WebUI Management Authentication Method” as well as “Captive Portal Certificate” (even though the ClearPass Guest captive portal is using a different cert for the captive portal page itself).