last person joined: 11 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Service certificate expiry

Jump to Best Answer
This thread has been viewed 23 times
  • 1.  ClearPass Service certificate expiry

    Posted May 31, 2021 02:08 AM
    I was assisting a customer to renew their ClearPass certificates for RADIUS server and HTTPS server. There was an additional expiry warning message "1 Service certificate is expiring within 30 days".

    When I click on Administration > Certificate Store > Service & Client Certificates, I see a service certificate that is near expiry. Can anyone advise how or what is this service certificate used for? Is the renewal the same procedure as per Server certificate?

    Thanks very much

    Simon Lim

  • 2.  RE: ClearPass Service certificate expiry
    Best Answer

    Posted Jun 01, 2021 07:15 AM
    It will be a certificate that is assigned to a ClearPass service. You will need to check the Services to determine which is using the certificate in question. Renewing of the certificate would be the standard process. Either via a CSR generated on the appliance or created 'off box'.

    Craig Syme

  • 3.  RE: ClearPass Service certificate expiry

    Posted Jun 01, 2021 07:44 PM
    Hi Craig,

    Thanks for the reply. Appreciate it.

    I have checked through their existing Service Authentication configuration pages and the certificate wasn't selected. It must probably be imported unnecessarily.

    Can you share what may be the possible use case of having separate certificate(s) for each service as compared to just using the main one?


    Simon Lim

  • 4.  RE: ClearPass Service certificate expiry

    Posted Jun 02, 2021 08:50 AM
    One reason for having service based certificates might be to check that replacement of the global RADIUS cert wit a new provider will still work. You could replicate an existing dot1x service and then use the new cert / supplier CA chain and point test users at it to see if it works.


    if using radsec to proxy auth requests off to another site via UKERNA your service needs to have a GEANT approved cert. you wouldn’t want to use the cert for any other local radsec services so would assign it to a specific cppm service, in this case you would have the GEANT cert applied to the radius proxy service that sends auth to the remote site via UKERNA


  • 5.  RE: ClearPass Service certificate expiry

    Posted Jun 02, 2021 06:27 PM
    Hi Alex,

    Thanks very much for the information. Very much appreciated. 

    Simon Lim