Our Clearpass RADIUS certificate is expiring soon, currently if i navigate to Administration->Certificates->Certificate Store->Server Certificates i see two certificates:
1.- Our soon to expire certificate (signed by our local CA)
2.- Root CA certificate which is our local CA
I exported this certificate before making any changes so i got a .P12 file that i can use if i need to revert to it.
In order to renew my certificate from the same page i Generated a new CSR and then i went i had it signed by our local CA which is the same that signed the current one, i downloaded both base64 and DER .cer files as well as the chain .p7b.
When i try to import my new cert i use the option Server Certificate, the name of our server, Usage = RADIUS/EAP Server Certificate and Upload Certificate and use Saved private key.
The certificate uploads fine but i do not see the Root CA down like my current scenario. I have not done enough testing to see if this a problem or not but it is a concern, in addition, our local CA is listed under the Trust List with enabled status and everything.
I am thinking that i have to change the format of my .CER to .P12 but for that i would need the private key that is stored in Clearpass.
I troubleshooted with Support but they achived the same results as me.
You should see the issuing CA when the certificate is imported into ClearPass. And if the issuing CA and intermediates (if there are any) are imported, they should automatically show up. Are you sure the certificate is issued by the same root CA? Could it be that your CA issued a CA certificate instead of a server (Endpoint Entity) certificate?
It is hard to tell what is wrong from here, but you should not import the CA as a P12 (which includes the private key) into ClearPass. Just the PEM (.pem/.crt) should be good for Root or Intermediates. If the certificate is accepted during the import, you should be good as it will check the intermediate and private key match. It should show the root and its intermediates in the ClearPass UI nevertheless.
If you have the case still open, I would escalate and ask for an engineer experienced with certificates to verify that all is right. Without the exact files and access to your system, this cannot be answered with confidence.
Thank you Herman,
When i open the .cer file i can see both cer and CA under certification tab, everthing looks in order, the certificate imports fine without issues or warnings but i only see the server certificate and not the local root CA. The process is pretty straight forward, create the CSR, go to local CA paste, select Web Server as template then click submit after that all i have to do is download the files and then import in Clearpass but no luck.
I am on ClearPass Policy Manager 126.96.36.199592 by the way.
So i when and checked in my local CA crtsrv and under issued certificates i do not see any of the certificates i have tried, alghough during the signing process i get to download them they do not show up in crtsrv as "issued".
I lied, its there under crtsrv Issued Certificates
When you imported your RADIUS certificate, you should see the 'Issued By' with your root CA and you should see your RootCA:
This is an example with an internal CA that directly signed my RADIUS certificate. If it doesn't look like that, I would have it double checked by Aruba TAC or another professional.
I requetsed by case to be elevated and worked with an engineer to resolve this, so apparently the cer signed by my Local CA only contains the server (i dont know why maybe is the template i used? web ) in order to have the Local CA show in clearpass after importing we had to extract the server portion and the Root portion and then combining into one file, here are the steps:
Good that you fixed it. I'm sure there are some shortcuts in what you described, but if it works, it works which is most important.
Could it be that you imported the server certificate into the Trust List? In that case, it could be that during the import the certificates is considered the root itself, thus no adding of the root in the chain. What you did now is import the certificate + the root in a single file, which works but should not be needed. I won't touch it as it looks good now.
Hi I have a question, as I saw the below screenshot the validity is different with the Root CA. What will be the impact if the above certificate is expiring soon and the Root CA is not. Should we need to renew or import new cert?
The one marked with the yellow circle is the actual server certificate, and if that is expiring you should renew the certificate or request a new one with the same name and with the same CA.
If one of the certificates in the chain expires, clients will no longer be able to connect. Root CAs in general have a long running time (10s of years) and are stored in your browser or operating systems. Intermediate CAs are more dynamic, typical few years but fine as long as the root doesn't change, and the actual server certificate typically will have a 1-3 year validity period.
Thanks for your response.
May I know how to renew it as this is the first time we are renewing the server certificate and I can't find any guide on the internet.
Thanks again and appreciate your help.
Best practice for an expiring RADIUS EAP Server certificate is to just request a new one and install that.
There are three constraints:
- Use the same SAN/CN as in your previous certificate. Note that having a SAN with the same name as the CN now is mandatory.
- Get the certificate signed by the same root CA. If you don't clients will have issues trusting it. If you can't use the same root CA, prepare for the reconfiguration of all your clients.
- Make sure the lifetime of your newly signed certificate is less than 825 days.
I think this summary from JISC/Eduroam in the UK is a nice resource.
Do I need to generate a CSR again on clearpass? Sorry for stupid question not expert on certificate thingy.
I would generate the CSR outside of ClearPass with OpenSSL, and import the full private+public key+certificate, so you have a backup of it.
I think you could even re-submit your existing CSR to the CA, but that would not change the private key.
If you are not sure, it may be best to work with someone to assist you like your Aruba Partner or Aruba Support.
Noted. But requesting new CSR will not be affect the Root CA once imported the newly signed cert?
If you have on-boarded devices make sure new CSR have same CN name as old certificate, if it is different then device auth will fail.
If you are singing with same CA who singed old certificate then mostly Root certificate will be same.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.