last person joined: 9 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Single certificate deployment for ClearPass Cluster

Jump to Best Answer
  • 1.  Single certificate deployment for ClearPass Cluster

    Posted Nov 19, 2019 02:54 AM



    I've read Certificates 101 which helps a lot with how to format the CSR... SAN Fields etc.


    However, we have multiple CPPM servers and i would like to use 1 certificate (signed by an external CA), for both Radius and HTTPS on all servers. 


    Can you generate the CSR on any of the CPPM servers and assuming the SAN fields are correct it will work? We currently have generated a seperate CSR on each CPPM server, but to help ease administration 1 certificate for all servers seems like a good idea. 


    I was worried that if i generated the CSR on CPPM-A for example, the signed cert would only work on that CPPM server. Does anyone know which CPPM server to generate the CSR on to use 1 certificate on multiple CPPM servers?



  • 2.  RE: Single certificate deployment for ClearPass Cluster

    Posted Nov 19, 2019 08:12 AM
    I would recommend to use two separate certs:
    - 1x for RADIUS (you only need 1x common name)
    - 1x for HTTPS (this cert can be multiple purpose : management access , guest captive portal , etc..and if that is a requirement you will need to add all the ClearPass nodes FQDNs as SAN or you could also use a wildcard cert)

    You can generate the CSR from any server or you could also use OpenSSL.
    Once you purchase certificate you need the the private key password which should allow you to import it into all of your servers.

    Thank you

    Victor Fabian

    Pardon typos sent from Mobile

  • 3.  RE: Single certificate deployment for ClearPass Cluster
    Best Answer

    Posted Dec 10, 2019 09:14 AM

    Hi Victor,


    All of our deployment is internal so we will be using our internal PKI for the all certs.


    I resolved this by creating the CSR from either Server. Getting the cert signed via PKI, then importing the certificate onto that server (Where the CSR was created), and then export the key as a .p12 file - which then allowed me to install it on my other clusters.