Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!
As may know, https server certificate is must for Downloadable User Role also known as DUR. Please see simple steps to generate https server certificate on Clearpass.
Step1: login to clearpass policy manager
login to clearpass policy manager
Step2: Click on Menu (right side corner) and then click onboard as below
Step3: Click on Certificate Authorities, just follow below clicks to download clearpass certificate.
Once you the certificate you can install on AOS-CX switches as below:
6300-1-VSF# conf t
6300-1-VSF(config)# crypto pki ta-profile DUR_clearpass
end End current mode and change to enable mode.
exit Exit current mode and change to previous mode
list Print command list
no Negate a command or set its defaults
ocsp Configure Online Certificate Status Protocol
revocation-check Configure revocation checking. (Default: no checking)
show Show running system information
ta-certificate Import a TA certificate in PEM format (Default: terminal)
Paste the certificate in PEM format below, then hit enter and ctrl-D:
6300-1-VSF(config-ta-cert)# -----> Press Ctrl+D
AOS-CX switch is ready for DUR.
Also you can find simple steps to configure DUR, LUR and more on below links:
Please add very explicit text that says this is only for lab environments where proper certificates cannot be acquired. This should never be done in a production environment.
Let's start by mentioning again that you should create your CPPM server certificate from Onboard only in lab environments. For production, get a certificate signed by a public root CA, or only if you don't use Guest and/or Onboard, from your corporate PKI.This is specific for Downloadable User Roles, which have the requirement that the switch should know the root CA that signed your ClearPass HTTPS certificate. Side-note, this also means you cannot use a self-signed certificate in this case, public cert if recommended.Then the second step is to install the 'trust anchor' certificate, which is the same as the root that signed your ClearPass HTTPS certificate, needs to be known at the switch. This is required to validate ClearPass when downloading the role which runs over HTTPS.For AOS-CX you paste the certificate as shown above in the last part (installation on the switches).ArubaOS Switches, and Instant APs will automatically download the certificate from ClearPass assuming you have fairly recent software versions (from top of my head CPPM 6.8+ and must be 16.08+ or so on the switch; just take CPPM 6.9.5 and 16.10 and it will work for sure).What happens automatically is that the ClearPass Root CA will be downloaded over the URL: http://your-clearpass.domain/.well-known/aruba/clearpass/https-root.pem (replace your-clearpass.domain with the IP or fqdn of your ClearPass server). So, if you have recent software versions, it is not needed to do it.For AOS-CX, I would recommend doing the same but manually:- Download the root certificate to your computer from http://your-clearpass.domain/.well-known/aruba/clearpass/https-root.pem- Open the downloaded pem file as text file (or copy the content from your browser)- Run the commands mentioned above and use what you have in the text file to paste as the certificate.The benefit of this approach is that this will always get the correct root CA, regardless if you had your ClearPass HTTPS certificate signed by a public CA (recommended) or private CA, or Onboard internal CA (deprecated, only use in labs where you can't do something else).
Thanks for the reply!
When I view HTTPS Server Certificate I have the chain
Cert – Intermediate – Intermediate– Root
When I view the https-root.pem via the browser url and save as pem and view it is just the root. Maybe that's normal? But in AOS-CX it is showing "Installed, Malformed" but browsing via https the cert shows as ok.
When I paste in JUST the root cert it doesn't accept it – it gives me the following error: "A signer certificate is not set for signing in its Key Usage extension. Not accepted."
I got it from GoDaddy (https://certs.godaddy.com/repository/gd-class2-root.crt) when I paste that (exactly what clearpass shows me) it gives that error. When I paste the cert, the two intermediates, and the root it seems to work but it only shows the intermediate directly signed by this root.
Sorry, CPPM version 6.8.6
Ok, our fault!! Apparently the cert chain had the wrong root cert. Clearpass did the right thing and showed the root cert that I uploaded, it was just the wrong one. The weird thing is that visiting the page via https didn't show an issue with the cert. Thanks for your time!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.