Security

last person joined: 13 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

pending root certifiate instalation message

This thread has been viewed 13 times
  • 1.  pending root certifiate instalation message

    Posted Jul 28, 2021 11:11 AM
    Clearpass 6.10.1 fixes an issue with a 2930 switch pulling an ECC cert down from a cppm server insted of an RSA one.

    I have dhcp fingerprinting set up on a 2930 switch and it was all working fine under 6.9.x  ... when i installed 6.10.0, a sh crypto pki ta-profile detail command showed

    Profile Name : cppmnd.sharaz.info

    Profile Status : Pending Root Certificate Installation
    CRL Configured : No
    OCSP Configured : No

    o.k I thought,  thats the bug that was fixed in  6.10.1

    So I've tried

    crypto ca-download usage clearpass force

    to get the current CA chain ... ( letsencrypt  CA )


    and nothing happens...

    What  am i supposed to do to get the correct CA root from clearpas back into the switch ?

    A

    ------------------------------
    Alex Sharaz
    ------------------------------


  • 2.  RE: pending root certifiate instalation message

    Posted Jul 28, 2021 11:15 AM
    o.k. in th  log file I can see lots of

    I 07/28/21 16:12:31 05811 CADownload: Successfully downloaded the certificate
    from 192.168.1.22 server


    messages for both cppm cluster members

    So why

    Aruba-2930F(config)# sh crypto pki ta-profile

    Profile Name Profile Status CRL Configured OCSP Configured
    --------------- ------------------------------ --------------- ---------------
    IDEVID_ROOT Root Certificate Installed
    COMODO_RSA_CA Root Certificate Installed No No
    GEOTRUST_CA Root Certificate Installed No No
    ARUBA_CA Root Certificate Installed No No
    cppmnd2.shar... Pending Root Certificate In... No No
    DST Root CA X3 Root Certificate Installed No No
    cppmnd.shara... Pending Root Certificate In... No No


    ------------------------------
    Alex Sharaz
    ------------------------------



  • 3.  RE: pending root certifiate instalation message

    Posted Jul 28, 2021 11:58 AM
    So ..

    crypto pki zeroize

    fllushes out everything

    crypto ca-download usage clearpass force

    Pulls down the  CA cert

    sh crypto pki ta-profile detail

    Profile Name : DST Root CA X3

    Profile Status : Root Certificate Installed
    CRL Configured : No
    OCSP Configured : No

    Profile Name : cppmnd2.sharaz.info

    Profile Status : Pending Root Certificate Installation
    CRL Configured : No
    OCSP Configured : No

    cppmnd2 .. currently running on self signed cert which explains the message

    ------------------------------
    Alex Sharaz
    ------------------------------



  • 4.  RE: pending root certifiate instalation message

    Posted Jul 29, 2021 08:56 AM
    So ,

    remove use of ECC cert
    install RAS cert
    run command s above on switch
    and all works....

    ------------------------------
    Alex Sharaz
    ------------------------------