Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass HTTPS Certificate Help

This thread has been viewed 53 times
  • 1.  ClearPass HTTPS Certificate Help

    Posted Aug 27, 2020 05:18 PM

    This seems almost silly, but I am unable to upload a server certificate to my ClearPass server. Running ClearPass v6.9.2. I generated the CSR from ClearPass and it popped up a little message:

     

    "Private Key is stored in the system. You can now upload certificate alone without using Private Key."

     

    But when I try to upload the certificate I get an error: "Private Key File is not in the system."

     

    Seems like it should be a pretty straight forward import process, but it's not working. Is anyone else having this issue?



  • 2.  RE: ClearPass HTTPS Certificate Help

    Posted Aug 30, 2020 12:14 AM

    I believe the private key file is deleted from ClearPass 7 days from the CSR creation. 

    If it is more than 7 days since the associated CSR was generated, you have to create a new CSR.



  • 3.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 22, 2021 05:34 AM
    Hi there, 

    Did you ever get a solution to this issue. I seem to have the same problem.

    I generate a CSR, get the message "Private Key is stored in the system. You can now upload certificate alone without using Private Key."
    No private key is exportable at this stage.
    I get the CSR signed and then try to import "as Certificate (w/ chain), PEM encoded" and the option on CPPM "Upload Certificate and Use Saved Private Key".
    But when I try to upload the certificate I get an error: "Private Key File is not in the system."

    CPPM doesn't seem to be linking up the saved private key with the cert that's being imported.
    Maybe i'm missing something fundamental?

    thanks



    ------------------------------
    Ciaran Byrne
    ------------------------------



  • 4.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 22, 2021 06:40 AM
    Strange,

    there is no change on certificate ?

    do you have check it is for RADIUS / HTTPS ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCL: Powershell Module to use Aruba Central

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 5.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 22, 2021 07:26 AM
    Hey.

    there is no change on certificate ?
    No change. I've attempted multiple times. 

    do you have check it is for RADIUS / HTTPS ?
    How do you mean? I'm importing it as a https cert.

    I guess I could use openssl to generate csr and private key and then import both together. But I'd be interested to know what i'm doing wrong. I have seen postings in these forums about this issue with no real answer given.

    thanks for your help.

    ------------------------------
    Ciaran Byrne
    ------------------------------



  • 6.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 22, 2021 07:42 AM
      |   view attached
    I generate private key and csr using openssl, had the csr signed and then tried importing the cert along with the private key to CPPM.
    I am now getting the following error - see attachment.

    Do I need to clear an private key on the system that is associated with a previous csr?

    ------------------------------
    Ciaran Byrne
    ------------------------------



  • 7.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 22, 2021 10:18 AM
    If you generated the key and CSR with openssl, you probably have both the private key and the signed certificate from your CA.

    Just import the key and cert, forget about the saved key, it will be overwritten once you import cert+key.

    BTW: The message suggests that the private key does not match the signed certificate. If you imported both key+cert, these do not belong to each other.

    Aruba TAC, or your partner have done this more often, it may help to seek assistance.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 29, 2021 11:58 AM
    The message suggests that the private key does not match the signed certificate. If you imported both key+cert, these do not belong to each other.

    ------------------------------
    Strong Pepper
    ------------------------------



  • 9.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 22, 2021 05:43 PM
    Hi Ciaran,

    I share Herman's opinion, looks like a mismatch between key and cert.

    I would suggest you check their modulus md5 to confirm they are indeed "coupled".

    - For the SSL certificate: openssl x509 -noout -modulus -in <file> | openssl md5
    - For the RSA private key: openssl rsa -noout -modulus -in <file> | openssl md5

    Also, as best practice, you should include the certification chain when inserting the certificate. If you have any issues with that, drop a line...

    ------------------------------
    Miguel Goncalves
    ------------------------------



  • 10.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 23, 2021 05:13 AM
    Hi Miguel and Herman,

    Thanks for getting back to me.

    Sorry if I wasn't clearer in my previous messages. Yes we generated the csr and private key with openssl and then get the mismatch error when importing the cert and the key together.
    We ran the openssl commands suggested by Miguel and the md5 hashes match.

    As stated, we also get the mismatch error message when we go through the process of generating the csr through the CP GUI and then importing the signed cert.

    Anyway, we'll contact our support partner and see what they say.

    thanks


    ------------------------------
    Ciaran Byrne
    ------------------------------



  • 11.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 25, 2021 09:16 AM
    From the attachment it and the pem with chain it's likely that the order of certs in the chain isn't what CPPM is expecting. Likely the system is trying to associate the signing CA cert to the saved request/key which won't work. 

    Try importing just the cert and not the entry chain. 

    The chain should be added in the certificate trust list before adding the cert.