Security

 View Only
Expand all | Collapse all

ClearPass HTTPS Certificate Help

This thread has been viewed 91 times
  • 1.  ClearPass HTTPS Certificate Help

    Posted Aug 27, 2020 05:18 PM

    This seems almost silly, but I am unable to upload a server certificate to my ClearPass server. Running ClearPass v6.9.2. I generated the CSR from ClearPass and it popped up a little message:

     

    "Private Key is stored in the system. You can now upload certificate alone without using Private Key."

     

    But when I try to upload the certificate I get an error: "Private Key File is not in the system."

     

    Seems like it should be a pretty straight forward import process, but it's not working. Is anyone else having this issue?



  • 2.  RE: ClearPass HTTPS Certificate Help

    Posted Aug 30, 2020 12:14 AM

    I believe the private key file is deleted from ClearPass 7 days from the CSR creation. 

    If it is more than 7 days since the associated CSR was generated, you have to create a new CSR.



  • 3.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 22, 2021 05:34 AM
    Hi there, 

    Did you ever get a solution to this issue. I seem to have the same problem.

    I generate a CSR, get the message "Private Key is stored in the system. You can now upload certificate alone without using Private Key."
    No private key is exportable at this stage.
    I get the CSR signed and then try to import "as Certificate (w/ chain), PEM encoded" and the option on CPPM "Upload Certificate and Use Saved Private Key".
    But when I try to upload the certificate I get an error: "Private Key File is not in the system."

    CPPM doesn't seem to be linking up the saved private key with the cert that's being imported.
    Maybe i'm missing something fundamental?

    thanks



    ------------------------------
    Ciaran Byrne
    ------------------------------



  • 4.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 22, 2021 06:40 AM
    Strange,

    there is no change on certificate ?

    do you have check it is for RADIUS / HTTPS ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCL: Powershell Module to use Aruba Central

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------



  • 5.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 22, 2021 07:26 AM
    Hey.

    there is no change on certificate ?
    No change. I've attempted multiple times. 

    do you have check it is for RADIUS / HTTPS ?
    How do you mean? I'm importing it as a https cert.

    I guess I could use openssl to generate csr and private key and then import both together. But I'd be interested to know what i'm doing wrong. I have seen postings in these forums about this issue with no real answer given.

    thanks for your help.

    ------------------------------
    Ciaran Byrne
    ------------------------------



  • 6.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 22, 2021 07:42 AM
      |   view attached
    I generate private key and csr using openssl, had the csr signed and then tried importing the cert along with the private key to CPPM.
    I am now getting the following error - see attachment.

    Do I need to clear an private key on the system that is associated with a previous csr?

    ------------------------------
    Ciaran Byrne
    ------------------------------



  • 7.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 22, 2021 10:18 AM
    Edited by Herman Robers Jul 22, 2021 10:23 AM
    If you generated the key and CSR with openssl, you probably have both the private key and the signed certificate from your CA.

    Just import the key and cert, forget about the saved key, it will be overwritten once you import cert+key.

    BTW: The message suggests that the private key does not match the signed certificate. If you imported both key+cert, these do not belong to each other.

    Aruba TAC, or your partner have done this more often, it may help to seek assistance.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 8.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 29, 2021 11:58 AM
    Edited by Greg_W Aug 03, 2021 11:50 AM
    The message suggests that the private key does not match the signed certificate. If you imported both key+cert, these do not belong to each other.

    ------------------------------
    Strong Pepper
    ------------------------------



  • 9.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 22, 2021 05:43 PM
    Hi Ciaran,

    I share Herman's opinion, looks like a mismatch between key and cert.

    I would suggest you check their modulus md5 to confirm they are indeed "coupled".

    - For the SSL certificate: openssl x509 -noout -modulus -in <file> | openssl md5
    - For the RSA private key: openssl rsa -noout -modulus -in <file> | openssl md5

    Also, as best practice, you should include the certification chain when inserting the certificate. If you have any issues with that, drop a line...

    ------------------------------
    Miguel Goncalves
    ------------------------------



  • 10.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 23, 2021 05:13 AM
    Hi Miguel and Herman,

    Thanks for getting back to me.

    Sorry if I wasn't clearer in my previous messages. Yes we generated the csr and private key with openssl and then get the mismatch error when importing the cert and the key together.
    We ran the openssl commands suggested by Miguel and the md5 hashes match.

    As stated, we also get the mismatch error message when we go through the process of generating the csr through the CP GUI and then importing the signed cert.

    Anyway, we'll contact our support partner and see what they say.

    thanks


    ------------------------------
    Ciaran Byrne
    ------------------------------



  • 11.  RE: ClearPass HTTPS Certificate Help

    Posted Jul 25, 2021 09:16 AM
    From the attachment it and the pem with chain it's likely that the order of certs in the chain isn't what CPPM is expecting. Likely the system is trying to associate the signing CA cert to the saved request/key which won't work. 

    Try importing just the cert and not the entry chain. 

    The chain should be added in the certificate trust list before adding the cert.


  • 12.  RE: ClearPass HTTPS Certificate Help

    Posted Mar 02, 2023 09:04 AM
    Edited by cauliflower Mar 02, 2023 09:27 AM

    Sorry to resurrect an old post. I'm just wondering whether your comments re not including the chain are actually the case. I have read several different recommendations re whether to include the chain. I had thought that including the chain was the correct thing to do but when we tried to replace an existing HTTPS cert with a slightly altered one (one additional SAN) this morning it was a world of pain!

    We actually started off with an entirely new HTTPS cert (generated using openSSL on a different server with a brand new private key), my colleague tried to upload the cert (w/chain) and private key files (as two separate files) but got a key error. We then mucked around playing with several iterations of using the existing (ie the key from the already installed HTTPS cert) private key to generate a new certificate before finally giving up on using openSSL ourselves and generating a new CSR on CPPM itself - this worked but only when we imported a PEM cert only (no chain) (which was the first time we had tried this, so it struck me that some of our previous attempts may have been successful had we tried without chain previously). So I am thoroughly confused as to whether the chain should be included or not! I guess now we know it's a _thing_ we can use trial ane error, but it would be nice to understand




  • 13.  RE: ClearPass HTTPS Certificate Help

    Posted Mar 02, 2023 09:21 AM

    Basic OpenSSL commands: 

    Create an OpenSSL Config File with SANs and Certificate info: 

    [ req ] 
    default_bits       = 2048
    default_md         = sha512 
    prompt             = no 
    encrypt_key        = no 
     
    # base request 
    distinguished_name = req_distinguished_name 
     
    # extensions 
    req_extensions     = v3_req 
     
    [ req_distinguished_name ] 
    countryName            = "US"                     # C= 
    localityName           = "<Your City>"                 # L= 
    organizationName       = "<Your Org>"             # O= 
    organizationalUnitName = "<Your Department>"            # OU= 
    commonName             = "<Your FQDN/WildCard Name>"           # CN= 
    emailAddress           = "<Your Email>"          # CN/emailAddress= 
     
    # req_extensions 
    [ v3_req ] 
    # The subject alternative name extension allows various literal values to be 
    # included in the configuration file 
    #  http://www.openssl.org/docs/apps/x509v3_config.html 
    subjectAltName  = DNS:<Certificate Common Name>,DNS:<Server IP for SAN>,IP:<IP Address for SAN>,DNS:<Additional Alternate Name> 

    RSA Create Private Key and  CSR:

    openssl rand -out .rand 4190000
    openssl genrsa -aes256 -out <CertName>.key -rand .rand  2048
    openssl req -new -key <CertName>.key -out <CertName>.csr -config <Config file Name>.conf
    

    ClearPass can use the Private Key and Certificate that the CA provides, but if you need to create a PFX without the chain:

    openssl pkcs12 -export -in <CertFileFromCA>.cer -inkey <CertName>.key -out <CertName>.pfx