I have a customer that uses Aruba Instant managed by Airwave and using Clearpass. We are building a Clearpass Guest Self Registration portal and we have gotten to the point where we need to get certificates sorted out. The certificates on Clearpass are handled but we have hit a hurdle on the certificate for the wireless (Instant) side. We are aware we need to generate a CSR outside of the instant platform however, all of the solutions we have found to generate the CSR will generate a CSR and a Private Key file just fine but we don't know what the passphrase is so we can't upload the certificate to Airwave for use on the Instant clusters.
Is there something I am missing here or am I thinking about this all wrong? Customer had a certificate issued based on a CSR that they generated with no Private Key file so we are going to need to re-key that cert but we are in a holding pattern until we can get this private key issue figured out. Any suggestions? Its amazing I haven't run into this before...but I expect to run into it more in the future.
Have you checked this thread: How do I generate a CSR from an Virtual Controller?
Yes, and that was the source of my sentence saying we were aware that the CSR needs to be generated outside of the Instant platform came from. Our problem isn't in generating a CSR, its generating a CSR and a private key file where we know what the private key is so that we can upload it.
Just to get it right because i think i am missing something here:
1. You are generating a CSR for FQDN of captive portal. 2. Then you are submitting this CSR to CA (public or private?)
3. The CA is giving you a .crt file and a .key file (if i am understanding correctly?)
4. If yes, you can modify both files with Wordpad or Notepad++ and then when you combine them both.
5. Upload them as CER (just enter any password).
I would highly recommend using a separate program for creating the private key and CSR, openssl being the default to go to.
Example process: https://itigloo.com/security/generate-an-openssl-certificate-request-with-sha-256-signature/
Sometimes when you generate the private key, the key itself isn't stored in a secured manner so there isn't any password to deal with. Problem with that is that any interface that doesn't make the key password optional is going to have issues. You can get around that challenge by either applying a password or repackaging the key and certificate into a PKCS#12 (PFX) format.
Thank you. I was avoiding using openssl but this actually solved all of our problems.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.