Hello Community,
I installed a ClearPass Cluster with Version 6.10.0 (fresh installation - no upgrade).
I have an internal PKI (Root CA, Sub CA) for my environment.
After installation of my 2 ClearPass Servers I created a signing request for an RSA cetificate and I imported this signed certificate into my ClearPass Servers. I also added the Root and Sub CA Certificates to the Trust List of both Servers - everthing is fine.
Since ClearPass 6.10.0 has ECC certificates enabled per default, I disabled the (self signed) ECC certificate on both servers, so that ClearPass should use the RSA certificate which is signed from my SubCA.
This worked without problems, when I use a browser and go to my ClearPass Servers, I get presented the RSA certificates. Next I created an user with role api-admin.
Now I want my aruba 2930M (WC_16_10_0015) Switches to connect with ClearPass an dowload the CA with the command:
crypto ca-download usage clearpass retry 3
I the log I can see, the switch tries to download the certificate
I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.12 server
I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.11 server
But when I look at the CA certs, I see the status "Pending Root Certificate Installation..."
sw-1# show crypto pki ta-profile
Profile Name Profile Status CRL Configured OCSP Configured
--------------- ------------------------------ --------------- ---------------
IDEVID_ROOT Root Certificate Installed
COMODO_RSA_CA Root Certificate Installed No No
default Self-signed Certificate Ins... No No
GEOTRUST_CA Root Certificate Installed No No
ARUBA_CA Root Certificate Installed No No
CP-VM01 Pending Root Certificate In... No No
cp-vm02 Pending Root Certificate In... No No
sw-1# debug destination session
sw-1# debug cppm
0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem
0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
http://10.51.0.12/.well-known/aruba/clearpass/https-root.pem
0004:17:57:05.53 CPPM mcppmTask:Failed to install the Certificate
I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded the certificate from 10.51.0.11 server
0004:17:57:05.55 CPPM mcppmTask:Failed to install the Certificate
I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.12 server
When I browse the URL
http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem
I can see a certifacte. But this is the Self signed ECC certificate which I turned off.
Is the an option to change this behavior so ClearPass ist presenting the RSA Certificate and the Root CA instead of the self signed ECC certificate?
In my installation with CP 6.8 and 6.9 that worked without problems, but there were no ECC certificates
Regards