Security

 View Only
last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Guest Certificate Renewal

This thread has been viewed 36 times
  • 1.  ClearPass Guest Certificate Renewal

    Posted Aug 16, 2024 08:20 AM

    We're updating the ClearPass guest certificate, and this is my first time handling it. This certificate is used for guest authentication. Besides importing the certificate, is there anything else I need to do? Any help would be appreciated!



  • 2.  RE: ClearPass Guest Certificate Renewal

    Posted Aug 16, 2024 09:55 AM

    Hi

    I assume you are referring to the https certificate in ClearPass?

    If so you should pay attention to keep the same SAN names in the new certificate as this certificate is not only utilized for the https traffic for the guests when browsing the captive portal pages, but also the management access to the ClearPass server. If you are using Downloadable User Roles for switches or WLAN, you should also make sure to have the new certificate issued by the same root CA. If not you have to make sure your network infrastructure trust the new CA, or the Downloadable User Role download may stop working.

    If all this is correct, changing the certificate is easy. After the new certificate has been installed it may take up to a few minutes before it has been applied fully.

    Export the old certificate and keep as backup if you need to do a rollback.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: ClearPass Guest Certificate Renewal

    Posted Aug 19, 2024 04:26 AM

    Hi @jonas.hammarback , Thank you for the update. If we have multiple SAN names, how should we include them in the SAN name field of the Clearpass CSR?




  • 4.  RE: ClearPass Guest Certificate Renewal

    Posted Aug 19, 2024 08:07 AM

    There should be a wildcard or SANs in your certificate for at least every FQDN that your ClearPass server should be addressable on.

    Easiest is to see whatever is in the current HTTPS certificate, and get a new one with the same. Assuming everything currently works as expected.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: ClearPass Guest Certificate Renewal

    Posted Aug 20, 2024 03:44 AM

    It depends on your CA issuer. Usually you have an option to add additional SAN entries into csr via provider interface before you sign it. Other option is to use OpenSSL to add additional SAN entries into csr before it's sent to CA. The third option would be to generate the certificate and private key via provider's interface and add required SAN fields during certificate creation. It really depend on the provider.

    In Clearpass CA you have an option to add SAN fields via GUI in Onboarding module when you sign the certificate. 

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 6.  RE: ClearPass Guest Certificate Renewal

    Posted Aug 20, 2024 08:06 AM

    Hi

    The syntax for the SAN in the ClearPass CSR dialogue is DNS:name1.domain.com,DNS:name2.domain.com.

    As @GorazdKikelj mention there are also an option to add the SAN fields during the ordering process with some public CA's



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: ClearPass Guest Certificate Renewal

    Posted Aug 22, 2024 03:58 AM

    Thank you all. The HTTPS certificate has been successfully updated in ClearPass.