Security

 View Only
  • 1.  ClearPass 6.10 ECC / RSA certificate issue with automated switch CA download

    Posted Jun 30, 2021 02:52 AM
    Hello Community,

    I installed a ClearPass Cluster with Version 6.10.0 (fresh installation - no upgrade).
    I have an internal PKI (Root CA, Sub CA) for my environment.
    After installation of my 2 ClearPass Servers I created a signing request for an RSA cetificate and I imported this signed certificate into my ClearPass Servers. I also added the Root and Sub CA Certificates to the Trust List of both Servers - everthing is fine.
    Since ClearPass 6.10.0 has ECC certificates enabled per default, I disabled the (self signed) ECC certificate on both servers, so that ClearPass should use the RSA certificate which is signed from my SubCA.
    This worked without problems, when I use a browser and go to my ClearPass Servers, I get presented the RSA certificates. Next I created an user with role api-admin.

    Now I want my aruba 2930M (WC_16_10_0015) Switches to connect with ClearPass an dowload the CA with the command:
    crypto ca-download usage clearpass retry 3
    I the log I can see, the switch tries to download the certificate
    I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
    certificate from 10.51.0.12 server
    I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
    certificate from 10.51.0.11 server

    But when I look at the CA certs, I see the status "Pending Root Certificate Installation..."
    sw-1# show crypto pki ta-profile
    Profile Name Profile Status CRL Configured OCSP Configured
    --------------- ------------------------------ --------------- ---------------
    IDEVID_ROOT Root Certificate Installed
    COMODO_RSA_CA Root Certificate Installed No No
    default Self-signed Certificate Ins... No No
    GEOTRUST_CA Root Certificate Installed No No
    ARUBA_CA Root Certificate Installed No No
    CP-VM01 Pending Root Certificate In... No No
    cp-vm02 Pending Root Certificate In... No No


    sw-1# debug destination session
    sw-1# debug cppm

    0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
    http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem

    0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
    http://10.51.0.12/.well-known/aruba/clearpass/https-root.pem

    0004:17:57:05.53 CPPM mcppmTask:Failed to install the Certificate

    I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded the certificate from 10.51.0.11 server

    0004:17:57:05.55 CPPM mcppmTask:Failed to install the Certificate

    I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded thecertificate from 10.51.0.12 server

    When I browse the URL http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem I can see a certifacte. But this is the Self signed ECC certificate which I turned off.

    Is the an option to change this behavior so ClearPass ist presenting the RSA Certificate and the Root CA instead of the self signed ECC certificate?

    In my installation with CP 6.8 and 6.9 that worked without problems, but there were no ECC certificates

    Regards


  • 2.  RE: ClearPass 6.10 ECC / RSA certificate issue with automated switch CA download
    Best Answer

    Posted Jun 30, 2021 10:16 AM
    This is a known issue, that is expected to be fixed in 6.10.1. The RSA certificate has moved with the introduction of ECC certificates to https-root-rsa.pem, but breaks the automatic download of the root trust-anchor.

    As a workaround, install the trust anchor through your management platform (Central, Airwave, etc), till ClearPass 6.10.1 is out. After that fix, with a disabled ECC, the RSA root will be available as https-root.pem as well, which will resolve the issue you have now.

    If it really impacts your implementation, you could reach out to Aruba Support, and ask them to copy the https-root-rsa.pem to https-root.pem as well through support access.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass 6.10 ECC / RSA certificate issue with automated switch CA download

    Posted Jul 07, 2021 02:40 AM
    Hello Herman,
    thanks for your answer. I opened a TAC Case and they copied the root certificate files.
    Now it works for me :-)

    ------------------------------
    Steffen Ikert
    ------------------------------



  • 4.  RE: ClearPass 6.10 ECC / RSA certificate issue with automated switch CA download

    Posted Jul 13, 2022 01:43 PM
    i open SR with HPE they keep said it my own cacert server,  but after i follow your info disable the ECC and my cert show up full info but it still show not secure,  i cannot figure it out why it doing that root and my intermidia it in the trust list.  any help?


  • 5.  RE: ClearPass 6.10 ECC / RSA certificate issue with automated switch CA download

    Posted Jul 19, 2022 09:33 AM
    Is this for the Root CA download from ClearPass by your ArubaOS Switch?

    If you are on CPPM 6.10.0, upgrade to CPPM 6.10.6 and see if that resolves the issue.

    Otherwise, please open a new discussion and include what certificates you installed (screenshots) and where you see the 'not secure' message (screenshot).

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------