Security

My clearpass server and radius certs expire in 2 weeks.

 

I am in the process of trying to get new ones an am running into issues.

 

I generated the CSR from Clearpass and used that with my certificate authority to generate a certificate.

 

When I try to install the certificate in Clearpass I get the following error - "Certificate file is not valid. Either the certificate signature is tampered or file is corrupted."

 

I am running 6.7.9

 

Any help would be appreciated.

Which CA do you have and exactly what procedure did you use?  What did you do the last time?

 

We are missing quite a bit of information to assist you.

Sorry - more information provided below.

 

CA is InCommon.

 

Procedure - filled out the CSR  from Clearpass.

I copied and pasted it exactly into InCommon.

It generated the certificate, which I downloaded and tried to import into Clearpass.

Upload method: Upload Certificate and use Saved Private Key.

 

Last time - I don't remember, it was 2 years ago. I know I got the cert from InCommon. What I do remember is this being a major pain in the butt last time too.

 

This was so much easier when I was using NPS.

 

Thanks.

You should be using a private CA for 802.1x, because all of your domain clients should already trust that..  You should be using a public CA for the guest portal HTTPS certificate.

Are you saying the issue is InCommon?

 

The certificate I was actually trying to replace was the https one and I was getting the error. Last time I used the same certificate for both https and RADIUS.

 

Typically my domain clients (the Windows ones anyways) authenticate via machine auth which is fine.

 

95% of my non-Domain clients do not use guest as they are employees or students (or eduroam users). Should they be using a certificate from a private CA?

 

 

 

 

Your RADIUS cert can be private, but the HTTPS one needs to be publicly signed.

 

I would suggest importing a PKCS12 (.p12) file if you can. If not, make sure the CSR you upload has the full chain and you upload the full chain CSR on the server from which you generated the CSR otherwise the private key will not be there. If you have additional servers, export the p12 from that server with a passphrase and proceed to upload that to the other servers.

 

Also, make sure your certificate provider is trusted in the Trust List section.

If the Clearpass CSR requires the entering of a private key password, why does it not generate a private key file? I think that might be part of the issue.

I'm talking about an export. When you generate the CSR on CPPM, the private key will be on that box, and that box only.

When you generate a CSR on the ClearPass UI, there will be a multi-file download: one for the CSR and one for the private key. Some browsers handle downloading multiple files on a single click differently. When generating the CSR and downloading it, make sure that you get 2 files. It can be that there is a warning in the browser URL bar which is clear or more hidden depending on the browser. If you can't get both files, try a different browser.

 

Check this video to see what I mean.

 

I'd think that if you missed the private key during the CSR export, it is no longer available and you will need to re-do the request process. You can use your own, or CA tools as well to generate a CSR and keypair for a standard HTTPS server certificate. There is no need to do that on the ClearPass server.

Hi Herman,

 

Your videos are awesome. They are literally what I used to configure my Clearpass two years ago.

 

That being said - I am not getting the option to download both, as you can see from the picture.

 

I believe last time I did this using openssl, and I'll probably do that again.I just need to figure out how.

 

Thanks for responding.

 

On newer code private key will be stored on system itself

We see this message on popup window of CSR which prompts to download CSR.

 

Create Certificate Signing Request
Private Key is stored in the system. You can now upload certificate alone without using Private Key

 

Certificate which you get it singed might got corrupt, try generate new CSR and get it singed and try upload again.

Ok, I missed that that the private key is not downloaded in recent versions. Thanks for the update.

Thanks Pavan - I've tried doing that.

 

Perhaps I'm not selecting the right certificate type from my provider?

 

These are the choices I'm presented for downloading.

 

Download certificate with chain.

Ugh - same issue here.

 

Incommon certs have been signed as follows

 

Incommon intemediate cert

UserTrust intermediate cert

AddTrust root cert

 

The AddTrust root expired today. There's a new UserTrust that it is now the root. I've imported this and enabled it. But the existing cert is still using the old chain.

 

So trying to re upload the cert and/or chain using the existing private key. But I am also getting the "certificate file is not valid. Either the certificate signature is tampered or file is corrupted" Both PEM, and PKCS#7 (PEM encoded) result in this error.

 

I tried PKCS#7 (p7b) and I get "Private Key File is not available in the system.

 

Since there's no way to export the existing key , It seems the only way is to generate a new csr and get new one? Or can TAC import them via command line?

 

BTW, in my case, I"m using 6.7.12. Current certs were installed when the system was under 6.6. 

 

Adding that I created a new CSR, but there's no way to download the private key. Only option is to download the CSR.

 

 

I'm not really following what you're trying to do but you can export your cert. You just need to scroll down and you'll see an export.

 

In general, I recommend importing your full chain pem and key. Or install just a PKCS12.

Only way was to replace the cert. Generated a new CSR, and it would only accept a PKCS#7 as the format.

 

 

But now CPPM updates getting the following:

 

Unknow Error - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
Check details entered, Network Connectivity, http_proxy credentials.
Click on 'Check Status Now' after correcting the configuration.

 

 

• When creating a signing request (CSR) the privated key is stored in the ClearPass node. So you can't create a PKCS#12 without creating a CSR on a external server or export the current one from ClearPass when you have a valid certificate.
• When creating a CSR, and sign it against your PKI CA server, be sure that the signed certificate is is installed on the ClearPass node where the CSR is created, only that node have the private key. 
• Check your system time  and timezone settings are correct.
• Check if the CA root and intermediates are in the ClearPass trust store, and be sure that they are ENABLED.

See attached a quick example with Windows Server CA.

Hope this helps.

I was getting the same message for software updates. I opened a case with Aruba and they said their certificate expired on their end. As of this morning it is working again.

Hi,

 

Since the Root CA UserTrust Certificate expired on 30/5/2020, I would recommend you generate a new CSR, get the CSR signed by the CA, and then import it back to ClearPass. Usually, we recommend to generate the CSR outside of the managed device but you can do it on ClearPass as well. After you import the certificate to ClearPass, you will have the option to export it with private key. This is recommended so you keep a backup for the used certificates.

 

The certificate was originally signed by UserTrust so what you are seeing in terms of CA chain is correct. It will not suddenly change to be signed by the new CA. You need to generate a new certificate.

 

Finally, you will not have the option to download private key until you import the signed the certificate to ClearPass. The process is as follows. You generate a CSR on ClearPass. It really generates a CSR and a private key. The CSR and private keys are linked. Previously, you were able to download them both without installing the certificate. With newer ClearPass versions, you will only be able to download the CSR. Once you sign the CSR and get the certificate, you import it to ClearPass. ClearPass will check if the certificate and private key (which it has generated before) match..

The issue I've run into is that InCommon chains the certificates upside-down; the order is supposed to go:

• your cert
• intermediate 1 (InCommon)
• intermediate 2 (UserTrust)
• Root CA (AAA)

InCommon does the opposite. To work around this, download the certificate with chain, PEM encoded. Then open it in your favorite text browser, and reverse the order of the four certificate blocks. Save it back out and it should import into CPPM just fine; at least, it did for me. :)

------------------------------
firstName
------------------------------

Original Message:
Sent: Mar 25, 2020 01:32 PM
From: firstName Brizzell
Subject: Clearpass Certificate Issue

My clearpass server and radius certs expire in 2 weeks.

 

I am in the process of trying to get new ones an am running into issues.

 

I generated the CSR from Clearpass and used that with my certificate authority to generate a certificate.

 

When I try to install the certificate in Clearpass I get the following error - "Certificate file is not valid. Either the certificate signature is tampered or file is corrupted."

 

I am running 6.7.9

 

Any help would be appreciated.