Wired

last person joined: 11 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

Jump to Best Answer
This thread has been viewed 74 times
  • 1.  Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Sep 01, 2020 07:15 AM

    Good day!

    Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

     

    As may know, https server certificate is must for Downloadable User Role also known as DUR. Please see simple steps to generate https server certificate on Clearpass.

     

    Step1: login to clearpass policy manager

    login to clearpass policy managerlogin to clearpass policy manager

     

     

    Step2: Click on Menu (right side corner) and then click onboard as below

     

    admin2.jpg

    admin3.jpg

     

    Step3: Click on Certificate Authorities, just follow below clicks to download clearpass certificate.

     

    admin4.jpg

     

    admin6.jpg

     

    admin7.jpg

     

    admin8.jpg

    Once you the certificate you can install on AOS-CX switches as below:

     

    6300-1-VSF# conf t
    6300-1-VSF(config)# crypto pki ta-profile DUR_clearpass
    6300-1-VSF(config-ta-DUR_clearpass)#
      end               End current mode and change to enable mode.
      exit              Exit current mode and change to previous mode
      list              Print command list
      no                Negate a command or set its defaults
      ocsp              Configure Online Certificate Status Protocol
      revocation-check  Configure revocation checking. (Default: no checking)
      show              Show running system information
      ta-certificate    Import a TA certificate in PEM format (Default: terminal)
    6300-1-VSF(config-ta-DUR_clearpass)# ta-certificate
    Paste the certificate in PEM format below, then hit enter and ctrl-D:
    6300-1-VSF(config-ta-cert)#
    -----BEGIN CERTIFICATE-----
    MIIEgzCCA2ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADCByDELMAkGA1UEBhMCVVMx
    EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTEXMBUGA1UE
    CgwOQXJ1YmEgTmV0d29ya3MxNjA0BgNVBAMMLUNsZWFyUGFzcyBPbmJvYXJkIExv
    Y2FsIENlcnRpZmljYXRlIEF1dGhvcml0eTE/MD0GCSqGSIb3DQEJARYwZTMzZGNh
    OTgtM2RjNC00YWQ1LTgyYmMtZjE2NGEyYWQ5MjhhQGV4YW1wbGUuY29tMB4XDTE3
    MDYxOTExMTYxNloXDTI3MDYyMDExNDYxNlowgcgxCzAJBgNVBAYTAlVTMRMwEQYD
    VQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxFzAVBgNVBAoMDkFy
    dWJhIE5ldHdvcmtzMTYwNAYDVQQDDC1DbGVhclBhc3MgT25ib2FyZCBMb2NhbCBD
    ZXJ0aWZpY2F0ZSBBdXRob3JpdHkxPzA9BgkqhkiG9w0BCQEWMGUzM2RjYTk4LTNk
    YzQtNGFkNS04MmJjLWYxNjRhMmFkOTI4YUBleGFtcGxlLmNvbTCCASIwDQYJKoZI
    hvcNAQEBBQADggEPADCCAQoCggEBALqsCtNmOtiRGJ5iTYYr/tbVLK5tBCvJ0bCH
    n0pAvzcRwyvh75Cgr5XG+5J6MoWMZIyBMQC9nbyf5N6ugKkvSrqiujBLUizerEJt
    0D0E9U/9+X8kDeTM5LFDwHHlav0dxHPyoSM6eAvYI2Bcp1Qgj0ZJRQ7A9EyyaIpr
    lGMK2YLXqF+C6A60diMm46bkv/qja1Y+0j7yvBF5c1iBYFI00QpIbpFKEn7T1cUW
    41d5TjkmctRIsDZzd3iHLZJK8MA/vDWTqs6n1WJBVs9VEXv4vagVrArWftx4JWsz
    tCYyPRW1EvCtZkl+kT7a21BhX4f/HHjXNyWVlsmLNnjt1GOkc+MCAwEAAaN2MHQw
    HQYDVR0OBBYEFIEmd8oioP2boMGEupxfFvvcKn9OMA8GA1UdDwEB/wQFAwMHhgAw
    DwYDVR0TAQH/BAUwAwEB/zAxBgNVHSUEKjAoBggrBgEFBQcDCQYIKwYBBQUHAwIG
    CCsGAQUFBwMBBggrBgEFBQcDAzANBgkqhkiG9w0BAQ0FAAOCAQEAm+tPlFDDScOE
    9cmUN1r7GQNx3fD6g0zb33Si3ik/buAHcHmejtAzkjjLXpwUHMPzUmRsQMM0ZnOZ
    CFfTgaHKeiQDQZn1lTOVFiFBe0aCmimRCUljeUTRSESEN5LLP1Y11hrFk1JIHwzZ
    nmPS8Do50N9c/3KWFJW46dpmIyebSPgVqGiOJDLBVKOhNtY5O7F7IdJnAhlDEn5E
    wdAHgRNx/TXAIAR+V41uq744YiWQF+A1tpQD4RUuNWYADTHYvwvXCIugiQRqwmYj
    PMq6IL8325kZzE4X0bLf96/YQqdYsgACXcfOG8Oqx1hTg2QBQMQKKOwVoVCXwzf9
    UpEnl3Uugg==
    -----END CERTIFICATE-----
    6300-1-VSF(config-ta-cert)#  -----> Press Ctrl+D

    AOS-CX switch is ready for DUR.

     

    Also you can find simple steps to configure DUR, LUR and more on below links:

     

    Regards,

    Yash

     



  • 2.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!
    Best Answer

    Posted Sep 01, 2020 11:39 AM

    Please add very explicit text that says this is only for lab environments where proper certificates cannot be acquired. This should never be done in a production environment.



  • 3.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 05, 2021 08:23 AM
    ​Hello

    I have tried this with a 2930f switch but it does not seems to work.
    Does this only work with the CX series?
    i uploaded the certificate with the copy tftp command.
    Do i need to change the https certificate in clearpass aswell?





  • 4.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 05, 2021 05:42 PM
    CX allows you to copy/paste the certificate contents.

    With AOS-Switch you'll either need to upload it via tftp or you can use the automatic certificate download feature:

    https://techhub.hpe.com/eginfolib/Aruba/16.09/5200-5908/index.html#GUID-6B4867D7-B72F-40B6-8012-8542725CCF7A.html

    Make sure your ClearPass HTTPS server cert is signed by the root cert authority whose certificate the switch will download.

    ------------------------------
    Justin Noonan
    ------------------------------



  • 5.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 06, 2021 03:54 AM
    "Make sure your ClearPass HTTPS server cert is signed by the root cert authority whose certificate the switch will download."

    How do you do this? by just downloading the onboard certificate like in the example above? I tried this but it does not seems to work. Or am i missing somthing?



  • 6.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 08, 2021 11:41 AM

    Let's start by mentioning again that you should create your CPPM server certificate from Onboard only in lab environments. For production, get a certificate signed by a public root CA, or only if you don't use Guest and/or Onboard, from your corporate PKI.

    This is specific for Downloadable User Roles, which have the requirement that the switch should know the root CA that signed your ClearPass HTTPS certificate. Side-note, this also means you cannot use a self-signed certificate in this case, public cert if recommended.

    Then the second step is to install the 'trust anchor' certificate, which is the same as the root that signed your ClearPass HTTPS certificate, needs to be known at the switch. This is required to validate ClearPass when downloading the role which runs over HTTPS.

    For AOS-CX you paste the certificate as shown above in the last part (installation on the switches).

    ArubaOS Switches, and Instant APs will automatically download the certificate from ClearPass assuming you have fairly recent software versions (from top of my head CPPM 6.8+ and must be 16.08+ or so on the switch; just take CPPM 6.9.5 and 16.10 and it will work for sure).

    What happens automatically is that the ClearPass Root CA will be downloaded over the URL: http://your-clearpass.domain/.well-known/aruba/clearpass/https-root.pem (replace your-clearpass.domain with the IP or fqdn of your ClearPass server). So, if you have recent software versions, it is not needed to do it.

    For AOS-CX, I would recommend doing the same but manually:
    - Download the root certificate to your computer from http://your-clearpass.domain/.well-known/aruba/clearpass/https-root.pem
    - Open the downloaded pem file as text file (or copy the content from your browser)
    - Run the commands mentioned above and use what you have in the text file to paste as the certificate.

    The benefit of this approach is that this will always get the correct root CA, regardless if you had your ClearPass HTTPS certificate signed by a public CA (recommended) or private CA, or Onboard internal CA (deprecated, only use in labs where you can't do something else).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 08, 2021 01:14 PM
    Hi,

    Will it work if the CPPM server has a wildcard certificate installed for https?

    thanks

    ------------------------------
    Benjamin Milton
    ------------------------------



  • 8.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 08, 2021 03:04 PM
    Yes

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 9.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 16, 2021 02:14 PM
    When I visit the /.well-known/aruba/clearpass/https-root.pem it doesn't actually show the same certificate that I'm using for HTTPS access on the Administration > Certificates > Certificate Store > HTTPS Server Certificate.  It shows a different cert that is in my trust list.  Have you seen that?  Are there other options to download via a url than the "https-root.pem"?  How does it know which cert to grab?

    ------------------------------
    Brian Reed
    ------------------------------



  • 10.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 16, 2021 03:59 PM
    Never...

    you get the root certificate of HTTPS certificate (not the certificate of CPPM)

    What CPPM release ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 11.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 16, 2021 04:17 PM

    Thanks for the reply!

     

    When I view HTTPS Server Certificate I have the chain

    Cert – Intermediate – Intermediate– Root

     

    When I view the https-root.pem via the browser url and save as pem and view it is just the root.  Maybe that's normal?  But in AOS-CX it is showing "Installed, Malformed" but browsing via https the cert shows as ok.

     

     






  • 12.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 17, 2021 05:12 AM
    It is expected that you only get the root, the intermediates are sent during the SSL session-setup by the ClearPass. So, no need for any intermediates to be installed on the switch. The 'good thing' about using that well-known-URL is that you always get the correct certificate, it now seems that there is something wrong with that root.

    Can you share your root CA cert as retrieved from ClearPass? I can try to import it in my switch and see what is possibly wrong.
    In parallel, please open a case with Aruba TAC support if you need a prompt resolution.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 13.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 17, 2021 09:01 AM

    When I paste in JUST the root cert it doesn't accept it – it gives me the following error:  "A signer certificate is not set for signing in its Key Usage extension. Not accepted."

     

    I got it from GoDaddy (https://certs.godaddy.com/repository/gd-class2-root.crt)  when I paste that (exactly what clearpass shows me) it gives that error.  When I paste the cert, the two intermediates, and the root it seems to work but it only shows the intermediate directly signed by this root. 

     






  • 14.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 16, 2021 04:19 PM

    Sorry, CPPM version 6.8.6

     






  • 15.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 17, 2021 11:27 AM

    Ok, our fault!!  Apparently the cert chain had the wrong root cert.  Clearpass did the right thing and showed the root cert that I uploaded, it was just the wrong one.  The weird thing is that visiting the page via https didn't show an issue with the cert.  Thanks for your time!

     






  • 16.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 17, 2021 04:17 PM
    Thanks for feedback!

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------