Security

Hi 
I was assisting a customer to renew their ClearPass certificates for RADIUS server and HTTPS server. There was an additional expiry warning message "1 Service certificate is expiring within 30 days".

When I click on Administration > Certificate Store > Service & Client Certificates, I see a service certificate that is near expiry. Can anyone advise how or what is this service certificate used for? Is the renewal the same procedure as per Server certificate?



Thanks very much

------------------------------
Simon Lim
------------------------------

It will be a certificate that is assigned to a ClearPass service. You will need to check the Services to determine which is using the certificate in question. Renewing of the certificate would be the standard process. Either via a CSR generated on the appliance or created 'off box'.

https://www.arubanetworks.com/techdocs/ClearPass/6.9/PolicyManager/Content/CPPM_UserGuide/Admin/service_certificate_assign_to_service.htm

------------------------------
Craig Syme
------------------------------

Original Message:
Sent: May 31, 2021 02:08 AM
From: Simon Lim
Subject: ClearPass Service certificate expiry

Hi 
I was assisting a customer to renew their ClearPass certificates for RADIUS server and HTTPS server. There was an additional expiry warning message "1 Service certificate is expiring within 30 days".

When I click on Administration > Certificate Store > Service & Client Certificates, I see a service certificate that is near expiry. Can anyone advise how or what is this service certificate used for? Is the renewal the same procedure as per Server certificate?



Thanks very much

------------------------------
Simon Lim
------------------------------

Hi Craig,

Thanks for the reply. Appreciate it.

I have checked through their existing Service Authentication configuration pages and the certificate wasn't selected. It must probably be imported unnecessarily.

Can you share what may be the possible use case of having separate certificate(s) for each service as compared to just using the main one?

Thanks.

------------------------------
Simon Lim
------------------------------

Original Message:
Sent: Jun 01, 2021 07:14 AM
From: Craig Syme
Subject: ClearPass Service certificate expiry

It will be a certificate that is assigned to a ClearPass service. You will need to check the Services to determine which is using the certificate in question. Renewing of the certificate would be the standard process. Either via a CSR generated on the appliance or created 'off box'.

https://www.arubanetworks.com/techdocs/ClearPass/6.9/PolicyManager/Content/CPPM_UserGuide/Admin/service_certificate_assign_to_service.htm

------------------------------
Craig Syme

Original Message:
Sent: May 31, 2021 02:08 AM
From: Simon Lim
Subject: ClearPass Service certificate expiry

Hi 
I was assisting a customer to renew their ClearPass certificates for RADIUS server and HTTPS server. There was an additional expiry warning message "1 Service certificate is expiring within 30 days".

When I click on Administration > Certificate Store > Service & Client Certificates, I see a service certificate that is near expiry. Can anyone advise how or what is this service certificate used for? Is the renewal the same procedure as per Server certificate?



Thanks very much

------------------------------
Simon Lim
------------------------------

Hi,
One reason for having service based certificates might be to check that replacement of the global RADIUS cert wit a new provider will still work. You could replicate an existing dot1x service and then use the new cert / supplier CA chain and point test users at it to see if it works.

or

if using radsec to proxy auth requests off to another site via UKERNA your service needs to have a GEANT approved cert. you wouldn’t want to use the cert for any other local radsec services so would assign it to a specific cppm service, in this case you would have the GEANT cert applied to the radius proxy service that sends auth to the remote site via UKERNA

A


Original Message:
Sent: 6/1/2021 7:44:00 PM
From: simon168
Subject: RE: ClearPass Service certificate expiry

Hi Craig,

Thanks for the reply. Appreciate it.

I have checked through their existing Service Authentication configuration pages and the certificate wasn't selected. It must probably be imported unnecessarily.

Can you share what may be the possible use case of having separate certificate(s) for each service as compared to just using the main one?

Thanks.

------------------------------
Simon Lim
------------------------------

Original Message:
Sent: Jun 01, 2021 07:14 AM
From: Craig Syme
Subject: ClearPass Service certificate expiry

It will be a certificate that is assigned to a ClearPass service. You will need to check the Services to determine which is using the certificate in question. Renewing of the certificate would be the standard process. Either via a CSR generated on the appliance or created 'off box'.

https://www.arubanetworks.com/techdocs/ClearPass/6.9/PolicyManager/Content/CPPM_UserGuide/Admin/service_certificate_assign_to_service.htm

------------------------------
Craig Syme

Original Message:
Sent: May 31, 2021 02:08 AM
From: Simon Lim
Subject: ClearPass Service certificate expiry

Hi 
I was assisting a customer to renew their ClearPass certificates for RADIUS server and HTTPS server. There was an additional expiry warning message "1 Service certificate is expiring within 30 days".

When I click on Administration > Certificate Store > Service & Client Certificates, I see a service certificate that is near expiry. Can anyone advise how or what is this service certificate used for? Is the renewal the same procedure as per Server certificate?



Thanks very much

------------------------------
Simon Lim
------------------------------

Hi Alex,

Thanks very much for the information. Very much appreciated. 


------------------------------
Simon Lim
------------------------------

Original Message:
Sent: Jun 02, 2021 08:46 AM
From: Alex Sharaz
Subject: ClearPass Service certificate expiry

Hi,
One reason for having service based certificates might be to check that replacement of the global RADIUS cert wit a new provider will still work. You could replicate an existing dot1x service and then use the new cert / supplier CA chain and point test users at it to see if it works.

or

if using radsec to proxy auth requests off to another site via UKERNA your service needs to have a GEANT approved cert. you wouldn't want to use the cert for any other local radsec services so would assign it to a specific cppm service, in this case you would have the GEANT cert applied to the radius proxy service that sends auth to the remote site via UKERNA

A


Original Message:
Sent: 6/1/2021 7:44:00 PM
From: simon168
Subject: RE: ClearPass Service certificate expiry

Hi Craig,

Thanks for the reply. Appreciate it.

I have checked through their existing Service Authentication configuration pages and the certificate wasn't selected. It must probably be imported unnecessarily.

Can you share what may be the possible use case of having separate certificate(s) for each service as compared to just using the main one?

Thanks.

------------------------------
Simon Lim

Original Message:
Sent: Jun 01, 2021 07:14 AM
From: Craig Syme
Subject: ClearPass Service certificate expiry

It will be a certificate that is assigned to a ClearPass service. You will need to check the Services to determine which is using the certificate in question. Renewing of the certificate would be the standard process. Either via a CSR generated on the appliance or created 'off box'.

https://www.arubanetworks.com/techdocs/ClearPass/6.9/PolicyManager/Content/CPPM_UserGuide/Admin/service_certificate_assign_to_service.htm

------------------------------
Craig Syme

Original Message:
Sent: May 31, 2021 02:08 AM
From: Simon Lim
Subject: ClearPass Service certificate expiry

Hi 
I was assisting a customer to renew their ClearPass certificates for RADIUS server and HTTPS server. There was an additional expiry warning message "1 Service certificate is expiring within 30 days".

When I click on Administration > Certificate Store > Service & Client Certificates, I see a service certificate that is near expiry. Can anyone advise how or what is this service certificate used for? Is the renewal the same procedure as per Server certificate?



Thanks very much

------------------------------
Simon Lim
------------------------------