last person joined: 11 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass RADIUS certificate expiring

This thread has been viewed 32 times
  • 1.  ClearPass RADIUS certificate expiring

    Posted Oct 03, 2019 12:30 PM

    Our Clearpass RADIUS certificate is expiring soon, currently if i navigate to Administration->Certificates->Certificate Store->Server Certificates  i see two certificates:

    1.- Our soon to expire certificate (signed by our local CA)

    2.- Root CA certificate which is our local CA

    I exported this certificate  before making any changes so i got a  .P12 file that i can use if i need to revert to it.

    In order to renew my certificate from the same page i Generated a new CSR and then i went i had it signed by our local CA which is the same that signed the current one, i downloaded both  base64 and DER .cer files as well as the chain .p7b. 

    When i try to import my new cert i use the option  Server Certificate, the name of our server, Usage = RADIUS/EAP Server Certificate and Upload Certificate and use Saved private key.

    The certificate uploads fine but i do not see the Root CA down like my current scenario. I have not done enough testing to see if this a problem or not but it is a concern, in addition, our local CA is listed under the Trust List with enabled status and everything.

    I am thinking that i have to change the format of my .CER to  .P12 but for that i would need the private key that is stored in Clearpass.

    I troubleshooted with Support but they achived the same results as me.


    Any ideas?


  • 2.  RE: ClearPass RADIUS certificate expiring

    Posted Oct 04, 2019 06:46 AM

    You should see the issuing CA when the certificate is imported into ClearPass. And if the issuing CA and intermediates (if there are any) are imported, they should automatically show up. Are you sure the certificate is issued by the same root CA? Could it be that your CA issued a CA certificate instead of a server (Endpoint Entity) certificate?


    It is hard to tell what is wrong from here, but you should not import the CA as a P12 (which includes the private key) into ClearPass. Just the PEM (.pem/.crt) should be good for Root or Intermediates. If the certificate is accepted during the import, you should be good as it will check the intermediate and private key match. It should show the root and its intermediates in the ClearPass UI nevertheless.


    If you have the case still open, I would escalate and ask for an engineer experienced with certificates to verify that all is right. Without the exact files and access to your system, this cannot be answered with confidence.

  • 3.  RE: ClearPass RADIUS certificate expiring

    Posted Oct 04, 2019 10:14 AM

    Thank you Herman,

    When i open the .cer file i can see both cer and CA under certification tab, everthing looks in order, the certificate imports fine without issues or warnings but i only see the server certificate and not the local root CA. The process is pretty straight forward, create the CSR, go to local CA paste, select Web Server as template then click submit after that all i have to do is download the files and then import in Clearpass but no luck.

  • 4.  RE: ClearPass RADIUS certificate expiring

    Posted Oct 04, 2019 10:15 AM

    I am on ClearPass Policy Manager by the way.



  • 5.  RE: ClearPass RADIUS certificate expiring

    Posted Oct 04, 2019 10:32 AM

    So i when and checked in my local CA  crtsrv and under issued certificates i do not see any of the certificates i have tried, alghough during the signing process i get to download them they do not show up in crtsrv as  "issued".

  • 6.  RE: ClearPass RADIUS certificate expiring

    Posted Oct 04, 2019 10:58 AM

    I lied, its there under crtsrv Issued Certificates

  • 7.  RE: ClearPass RADIUS certificate expiring

    Posted Oct 04, 2019 11:46 AM

    When you imported your RADIUS certificate, you should see the 'Issued By' with your root CA and you should see your RootCA:

    Screen Shot 2019-10-04 at 17.43.11.png

    This is an example with an internal CA that directly signed my RADIUS certificate. If it doesn't look like that, I would have it double checked by Aruba TAC or another professional.

  • 8.  RE: ClearPass RADIUS certificate expiring

    Posted Oct 04, 2019 01:48 PM

    Thanks Herman,

    I requetsed by case to be elevated and worked with an engineer to resolve this, so apparently the cer signed by my Local CA only contains the server (i dont know why maybe is the template i used? web ) in order to have the Local CA show in clearpass after importing we had to extract the server portion and the Root portion and then combining into one file, here are the steps:



    After generating the CSR on clearpass and having it signed by  AD2012R2, the certificate generated in Base64 format was downloaded and imported into clearpass however clearpass was only showing the server certificate and not the Root
    In order to have this certificate installed correctly the following needs to be done:
    1.- Right click on the base64 file then  select Open, go to certification tab and highlight your clearpass certificate
    2.- Go to details tab and then select copy to File
    3.- Click Next
    4.- Select Base-64 encoded X.509 (.CER) and click Next
    5. Name the file  server.cer + Next then Finish, the file will be crated and placed in the same location where the original cert is.
    6.- On the same open window that shows the certificate details go to Certification Path, click on the Root 
    7.- Select View Certificate
    8.- go to DEtails then Copy to File
    9.- Click Next
    10.- Select Base-64 encoded X.509(.CER)
    11.- Name it Root.cer, click NEXT then finish.
    12.-Open Server.cer in an Editor (Notepadd ++) 
    13.-OPen Root.cer and copy the contents of the Certificate
    14.- Paste imediately below Server.cer contents, make sure there are no extra lines at the end. 
    15.- Save the file and use this file to import in Clearpass, after importing you will see both Server and Root.
    I looked and looked and all videos showed and easy process but for me it was not.

  • 9.  RE: ClearPass RADIUS certificate expiring

    Posted Oct 07, 2019 08:49 AM

    Good that you fixed it. I'm sure there are some shortcuts in what you described, but if it works, it works which is most important.


    Could it be that you imported the server certificate into the Trust List? In that case, it could be that during the import the certificates is considered the root itself, thus no adding of the root in the chain. What you did now is import the certificate + the root in a single file, which works but should not be needed. I won't touch it as it looks good now.



  • 10.  RE: ClearPass RADIUS certificate expiring

    Posted Jul 01, 2020 11:05 PM

    Hi I have a question, as I saw the below screenshot the validity is different with the Root CA. What will be the impact if the above certificate is expiring soon and the Root CA is not. Should we need to renew or import new cert? 






  • 11.  RE: ClearPass RADIUS certificate expiring

    Posted Jul 02, 2020 03:21 AM

    The one marked with the yellow circle is the actual server certificate, and if that is expiring you should renew the certificate or request a new one with the same name and with the same CA.


    If one of the certificates in the chain expires, clients will no longer be able to connect. Root CAs in general have a long running time (10s of years) and are stored in your browser or operating systems. Intermediate CAs are more dynamic, typical few years but fine as long as the root doesn't change, and the actual server certificate typically will have a 1-3 year validity period.

  • 12.  RE: ClearPass RADIUS certificate expiring

    Posted Jul 27, 2020 10:45 PM

    Hi Herman,


    Thanks for your response.


    May I know how to renew it as this is the first time we are renewing the server certificate and I can't find any guide on the internet. 


    Thanks again and appreciate your help.




  • 13.  RE: ClearPass RADIUS certificate expiring

    Posted Jul 28, 2020 04:22 AM

    Best practice for an expiring RADIUS EAP Server certificate is to just request a new one and install that.


    There are three constraints:

    - Use the same SAN/CN as in your previous certificate. Note that having a SAN with the same name as the CN now is mandatory.

    - Get the certificate signed by the same root CA. If you don't clients will have issues trusting it. If you can't use the same root CA, prepare for the reconfiguration of all your clients.

    - Make sure the lifetime of your newly signed certificate is less than 825 days.


    I think this summary from JISC/Eduroam in the UK is a nice resource.


  • 14.  RE: ClearPass RADIUS certificate expiring

    Posted Jul 28, 2020 09:30 PM

    Hi Herman,


    Do I need to generate a CSR again on clearpass? Sorry for stupid question not expert on certificate thingy. 





  • 15.  RE: ClearPass RADIUS certificate expiring

    Posted Jul 30, 2020 05:51 AM

    I would generate the CSR outside of ClearPass with OpenSSL, and import the full private+public key+certificate, so you have a backup of it.


    I think you could even re-submit your existing CSR to the CA, but that would not change the private key.


    If you are not sure, it may be best to work with someone to assist you like your Aruba Partner or Aruba Support.

  • 16.  RE: ClearPass RADIUS certificate expiring

    Posted Aug 02, 2020 11:16 PM

    Hi Herman,


    Noted. But requesting new CSR will not be affect the Root CA once imported the newly signed cert?





  • 17.  RE: ClearPass RADIUS certificate expiring

    Posted Aug 04, 2020 07:48 AM

    If you have on-boarded devices make sure new CSR have same CN name as old certificate, if it is different then device auth will fail.


    If you are singing with same CA who singed old certificate then mostly Root certificate will be same.

  • 18.  RE: ClearPass RADIUS certificate expiring

    Posted Jul 06, 2021 10:08 PM
    Hello Herman

    I have a problem with the CA certificate, I created a different certificate than the one that was installed and my clients with windows operating system do not recognize it, I have to add the Wi-Fi network manually. What can I do so that my clients reconnect without manually setting the Wi-Fi network in windows.

    I currently have Clear Pass version 6.10

    lalo rocha

  • 19.  RE: ClearPass RADIUS certificate expiring

    Posted Jul 07, 2021 10:56 AM
    That depends on the client configuration. Your clients should trust your RADIUS server's certificate, by having the root and certificate name configured.

    If you changed the certificate, and either the RootCA, or the server name changed, it is expected that your clients will not be able to connect. Changing your RADIUS certificate is something you need to carefully plan and execute.

    In this situation, as I don't know the previous situation, nor the current situation, I would recommend working with your Aruba partner, or Aruba Support to find out what went wrong and how to possibly recover with the fewest interruptions to your clients.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.