Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

This thread has been viewed 163 times

  • 1.  Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    EMPLOYEE
    Posted Sep 01, 2020 07:15 AM

    Good day!

    Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

     

    As may know, https server certificate is must for Downloadable User Role also known as DUR. Please see simple steps to generate https server certificate on Clearpass.

     

    Step1: login to clearpass policy manager

    login to clearpass policy managerlogin to clearpass policy manager

     

     

    Step2: Click on Menu (right side corner) and then click onboard as below

     

    admin2.jpg

    admin3.jpg

     

    Step3: Click on Certificate Authorities, just follow below clicks to download clearpass certificate.

     

    admin4.jpg

     

    admin6.jpg

     

    admin7.jpg

     

    admin8.jpg

    Once you the certificate you can install on AOS-CX switches as below:

     

    6300-1-VSF# conf t
6300-1-VSF(config)# crypto pki ta-profile DUR_clearpass
6300-1-VSF(config-ta-DUR_clearpass)#
  end               End current mode and change to enable mode.
  exit              Exit current mode and change to previous mode
  list              Print command list
  no                Negate a command or set its defaults
  ocsp              Configure Online Certificate Status Protocol
  revocation-check  Configure revocation checking. (Default: no checking)
  show              Show running system information
  ta-certificate    Import a TA certificate in PEM format (Default: terminal)
6300-1-VSF(config-ta-DUR_clearpass)# ta-certificate
Paste the certificate in PEM format below, then hit enter and ctrl-D:
6300-1-VSF(config-ta-cert)#
-----BEGIN CERTIFICATE-----
MIIEgzCCA2ugAwIBAgIBATANBgkqhkiG9w0BAQ0FADCByDELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTEXMBUGA1UE
CgwOQXJ1YmEgTmV0d29ya3MxNjA0BgNVBAMMLUNsZWFyUGFzcyBPbmJvYXJkIExv
Y2FsIENlcnRpZmljYXRlIEF1dGhvcml0eTE/MD0GCSqGSIb3DQEJARYwZTMzZGNh
OTgtM2RjNC00YWQ1LTgyYmMtZjE2NGEyYWQ5MjhhQGV4YW1wbGUuY29tMB4XDTE3
MDYxOTExMTYxNloXDTI3MDYyMDExNDYxNlowgcgxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxFzAVBgNVBAoMDkFy
dWJhIE5ldHdvcmtzMTYwNAYDVQQDDC1DbGVhclBhc3MgT25ib2FyZCBMb2NhbCBD
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkxPzA9BgkqhkiG9w0BCQEWMGUzM2RjYTk4LTNk
YzQtNGFkNS04MmJjLWYxNjRhMmFkOTI4YUBleGFtcGxlLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALqsCtNmOtiRGJ5iTYYr/tbVLK5tBCvJ0bCH
n0pAvzcRwyvh75Cgr5XG+5J6MoWMZIyBMQC9nbyf5N6ugKkvSrqiujBLUizerEJt
0D0E9U/9+X8kDeTM5LFDwHHlav0dxHPyoSM6eAvYI2Bcp1Qgj0ZJRQ7A9EyyaIpr
lGMK2YLXqF+C6A60diMm46bkv/qja1Y+0j7yvBF5c1iBYFI00QpIbpFKEn7T1cUW
41d5TjkmctRIsDZzd3iHLZJK8MA/vDWTqs6n1WJBVs9VEXv4vagVrArWftx4JWsz
tCYyPRW1EvCtZkl+kT7a21BhX4f/HHjXNyWVlsmLNnjt1GOkc+MCAwEAAaN2MHQw
HQYDVR0OBBYEFIEmd8oioP2boMGEupxfFvvcKn9OMA8GA1UdDwEB/wQFAwMHhgAw
DwYDVR0TAQH/BAUwAwEB/zAxBgNVHSUEKjAoBggrBgEFBQcDCQYIKwYBBQUHAwIG
CCsGAQUFBwMBBggrBgEFBQcDAzANBgkqhkiG9w0BAQ0FAAOCAQEAm+tPlFDDScOE
9cmUN1r7GQNx3fD6g0zb33Si3ik/buAHcHmejtAzkjjLXpwUHMPzUmRsQMM0ZnOZ
CFfTgaHKeiQDQZn1lTOVFiFBe0aCmimRCUljeUTRSESEN5LLP1Y11hrFk1JIHwzZ
nmPS8Do50N9c/3KWFJW46dpmIyebSPgVqGiOJDLBVKOhNtY5O7F7IdJnAhlDEn5E
wdAHgRNx/TXAIAR+V41uq744YiWQF+A1tpQD4RUuNWYADTHYvwvXCIugiQRqwmYj
PMq6IL8325kZzE4X0bLf96/YQqdYsgACXcfOG8Oqx1hTg2QBQMQKKOwVoVCXwzf9
UpEnl3Uugg==
-----END CERTIFICATE-----
6300-1-VSF(config-ta-cert)#  -----> Press Ctrl+D

    AOS-CX switch is ready for DUR.

     

    Also you can find simple steps to configure DUR, LUR and more on below links:

     

    Regards,

    Yash

     



  • 2.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!
    Best Answer

    MVP EXPERT
    Posted Sep 01, 2020 11:39 AM

    Please add very explicit text that says this is only for lab environments where proper certificates cannot be acquired. This should never be done in a production environment.



  • 3.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 05, 2021 08:23 AM
    ​Hello

    I have tried this with a 2930f switch but it does not seems to work.
    Does this only work with the CX series?
    i uploaded the certificate with the copy tftp command.
    Do i need to change the https certificate in clearpass aswell?



    Original Message


  • 4.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    EMPLOYEE
    Posted Mar 05, 2021 05:42 PM
    CX allows you to copy/paste the certificate contents.

    With AOS-Switch you'll either need to upload it via tftp or you can use the automatic certificate download feature:

    https://techhub.hpe.com/eginfolib/Aruba/16.09/5200-5908/index.html#GUID-6B4867D7-B72F-40B6-8012-8542725CCF7A.html

    Make sure your ClearPass HTTPS server cert is signed by the root cert authority whose certificate the switch will download.

    ------------------------------
    Justin Noonan
    ------------------------------

    Original Message


  • 5.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 06, 2021 03:54 AM
    "Make sure your ClearPass HTTPS server cert is signed by the root cert authority whose certificate the switch will download."

    How do you do this? by just downloading the onboard certificate like in the example above? I tried this but it does not seems to work. Or am i missing somthing?
    Original Message


  • 6.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    EMPLOYEE
    Posted Mar 08, 2021 11:41 AM

    Let's start by mentioning again that you should create your CPPM server certificate from Onboard only in lab environments. For production, get a certificate signed by a public root CA, or only if you don't use Guest and/or Onboard, from your corporate PKI.

    This is specific for Downloadable User Roles, which have the requirement that the switch should know the root CA that signed your ClearPass HTTPS certificate. Side-note, this also means you cannot use a self-signed certificate in this case, public cert if recommended.

    Then the second step is to install the 'trust anchor' certificate, which is the same as the root that signed your ClearPass HTTPS certificate, needs to be known at the switch. This is required to validate ClearPass when downloading the role which runs over HTTPS.

    For AOS-CX you paste the certificate as shown above in the last part (installation on the switches).

    ArubaOS Switches, and Instant APs will automatically download the certificate from ClearPass assuming you have fairly recent software versions (from top of my head CPPM 6.8+ and must be 16.08+ or so on the switch; just take CPPM 6.9.5 and 16.10 and it will work for sure).

    What happens automatically is that the ClearPass Root CA will be downloaded over the URL: http://your-clearpass.domain/.well-known/aruba/clearpass/https-root.pem (replace your-clearpass.domain with the IP or fqdn of your ClearPass server). So, if you have recent software versions, it is not needed to do it.

    For AOS-CX, I would recommend doing the same but manually:
    - Download the root certificate to your computer from http://your-clearpass.domain/.well-known/aruba/clearpass/https-root.pem
    - Open the downloaded pem file as text file (or copy the content from your browser)
    - Run the commands mentioned above and use what you have in the text file to paste as the certificate.

    The benefit of this approach is that this will always get the correct root CA, regardless if you had your ClearPass HTTPS certificate signed by a public CA (recommended) or private CA, or Onboard internal CA (deprecated, only use in labs where you can't do something else).



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 7.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 08, 2021 01:14 PM
    Hi,

    Will it work if the CPPM server has a wildcard certificate installed for https?

    thanks

    ------------------------------
    Benjamin Milton
    ------------------------------

    Original Message


  • 8.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    MVP GURU
    Posted Mar 08, 2021 03:04 PM
    Yes

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------

    Original Message


  • 9.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 16, 2021 02:14 PM
    When I visit the /.well-known/aruba/clearpass/https-root.pem it doesn't actually show the same certificate that I'm using for HTTPS access on the Administration > Certificates > Certificate Store > HTTPS Server Certificate.  It shows a different cert that is in my trust list.  Have you seen that?  Are there other options to download via a url than the "https-root.pem"?  How does it know which cert to grab?

    ------------------------------
    Brian Reed
    ------------------------------

    Original Message


  • 10.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    MVP GURU
    Posted Mar 16, 2021 03:59 PM
    Never...

    you get the root certificate of HTTPS certificate (not the certificate of CPPM)

    What CPPM release ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------

    Original Message


  • 11.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 16, 2021 04:17 PM

    Thanks for the reply!

     

    When I view HTTPS Server Certificate I have the chain

    Cert – Intermediate – Intermediate– Root

     

    When I view the https-root.pem via the browser url and save as pem and view it is just the root.  Maybe that's normal?  But in AOS-CX it is showing "Installed, Malformed" but browsing via https the cert shows as ok.

     

     




    Original Message


  • 12.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    EMPLOYEE
    Posted Mar 17, 2021 05:12 AM
    It is expected that you only get the root, the intermediates are sent during the SSL session-setup by the ClearPass. So, no need for any intermediates to be installed on the switch. The 'good thing' about using that well-known-URL is that you always get the correct certificate, it now seems that there is something wrong with that root.

    Can you share your root CA cert as retrieved from ClearPass? I can try to import it in my switch and see what is possibly wrong.
    In parallel, please open a case with Aruba TAC support if you need a prompt resolution.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 13.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 17, 2021 09:01 AM

    When I paste in JUST the root cert it doesn't accept it – it gives me the following error:  "A signer certificate is not set for signing in its Key Usage extension. Not accepted."

     

    I got it from GoDaddy (https://certs.godaddy.com/repository/gd-class2-root.crt)  when I paste that (exactly what clearpass shows me) it gives that error.  When I paste the cert, the two intermediates, and the root it seems to work but it only shows the intermediate directly signed by this root. 

     




    Original Message


  • 14.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted May 28, 2021 03:28 PM
    Did you figure out what was going on?  I'm getting the same error:  "A signer certificate is not set for signing in its Key Usage extension. Not accepted."

    ------------------------------
    David King
    ------------------------------

    Original Message


  • 15.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Jun 01, 2021 02:26 PM
    Sorry for the delay, I was out on vacation and didn't look at email until today! 

    Yes, we ended up using the wrong root cert in the chain (that we uploaded to clearpass).  Our cert was from godaddy but they have a few variations of their roots - some are g2 and others are not.  Where did you get yours?  

    View cert on a machine so you can see the full trust chain and then view in CP - Administration, Certificates, Certificate Store, HTTPS Server Cert drop down - make sure root and intermediate are there.  We had used a different godaddy root.  It was weird because https access showed the cert was ok but the 6300m didn't like it.

    ------------------------------
    Brian Reed
    ------------------------------

    Original Message


  • 16.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Jun 01, 2021 02:39 PM
    No worries at all.  I actually just got off a call with TAC.  They were really confused about why the root certificate wasn't accepted by the 6200 but we tried the intermediate and it worked.  I was able to connect a client and download a role!

    We also use GoDaddy for certificates but we use their Starfield root instead of the GoDaddy root (for reasons that I've never fully understood).

    Thanks for following up on this.

    ------------------------------
    David King
    ------------------------------

    Original Message


  • 17.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 16, 2021 04:19 PM

    Sorry, CPPM version 6.8.6

     




    Original Message


  • 18.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Mar 17, 2021 11:27 AM

    Ok, our fault!!  Apparently the cert chain had the wrong root cert.  Clearpass did the right thing and showed the root cert that I uploaded, it was just the wrong one.  The weird thing is that visiting the page via https didn't show an issue with the cert.  Thanks for your time!

     




    Original Message


  • 19.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    MVP GURU
    Posted Mar 17, 2021 04:17 PM
    Thanks for feedback!

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------

    Original Message


  • 20.  RE: Simple Steps to create the HTTPS Server certificate on ClearPass for your Switches!

    Posted Jan 10, 2024 11:38 AM

    Hi Yash
    thank you for the post. We are not using Clearpass but an internal ca windows 2022 server. What are the steps on an Aruba 6300m?


    Original Message