Security

Hello,

I have a cluster with a publisher, a standby publisher and several subscribers. Right now I have the same radius certificate installed in all of them (Certificate Store) and a specific HTTPS certificate installed in each of the nodes (Certificate Store). I'd like to improve this scheme and I was thinking to create a "service certificate" linked with the radius certificate and associate it inside of the specific services where it is used, making this, I understand that I can install the radius certificate only in the publisher, can't I? Because the certificate is linked to the service.

About HTTPS certificates, I was thinking to create a wildcard certificate, but this does not give me the chance of install the certificate only in the publisher node. Is there any way to install this certificate only in the publisher node?

Is there any new feature in the new CPPM releases (6.9) that could allow me to centralize the certificates management through publisher node?

Thanks in advance.

------------------------------
tech_sec
------------------------------

Hi

Certificates must be installed per node as long as we not talk about service certificates.
If you plan to use the same certificate on several servers, you need to install it on each server.

Do you have, or plan to have, CX switches and utilize downloadable roles?
In that case you need to configure the switch to contact ClearPass based on FQDN, not IP, and the FQDN you configure in the switch must be in the Common Name field in the certificate. Otherwise the download of the downloadable role will fail.


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP
Aranya AB
------------------------------

Original Message:
Sent: May 07, 2021 05:50 AM
From: Abraham Lopez
Subject: [CLEARPASS] https and radius certificates management

Hello,

I have a cluster with a publisher, a standby publisher and several subscribers. Right now I have the same radius certificate installed in all of them (Certificate Store) and a specific HTTPS certificate installed in each of the nodes (Certificate Store). I'd like to improve this scheme and I was thinking to create a "service certificate" linked with the radius certificate and associate it inside of the specific services where it is used, making this, I understand that I can install the radius certificate only in the publisher, can't I? Because the certificate is linked to the service.

About HTTPS certificates, I was thinking to create a wildcard certificate, but this does not give me the chance of install the certificate only in the publisher node. Is there any way to install this certificate only in the publisher node?

Is there any new feature in the new CPPM releases (6.9) that could allow me to centralize the certificates management through publisher node?

Thanks in advance.

------------------------------
tech_sec
------------------------------

Thank you very much Jonas, I'll follow your instructions.

------------------------------
tech_sec
------------------------------

Original Message:
Sent: May 10, 2021 07:27 AM
From: Jonas Hammarback
Subject: [CLEARPASS] https and radius certificates management

Hi

Certificates must be installed per node as long as we not talk about service certificates.
If you plan to use the same certificate on several servers, you need to install it on each server.

Do you have, or plan to have, CX switches and utilize downloadable roles?
In that case you need to configure the switch to contact ClearPass based on FQDN, not IP, and the FQDN you configure in the switch must be in the Common Name field in the certificate. Otherwise the download of the downloadable role will fail.


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP
Aranya AB

Original Message:
Sent: May 07, 2021 05:50 AM
From: Abraham Lopez
Subject: [CLEARPASS] https and radius certificates management

Hello,

I have a cluster with a publisher, a standby publisher and several subscribers. Right now I have the same radius certificate installed in all of them (Certificate Store) and a specific HTTPS certificate installed in each of the nodes (Certificate Store). I'd like to improve this scheme and I was thinking to create a "service certificate" linked with the radius certificate and associate it inside of the specific services where it is used, making this, I understand that I can install the radius certificate only in the publisher, can't I? Because the certificate is linked to the service.

About HTTPS certificates, I was thinking to create a wildcard certificate, but this does not give me the chance of install the certificate only in the publisher node. Is there any way to install this certificate only in the publisher node?

Is there any new feature in the new CPPM releases (6.9) that could allow me to centralize the certificates management through publisher node?

Thanks in advance.

------------------------------
tech_sec
------------------------------