Security

 View Only
  • 1.  Clearpass HTTPS(ECC) certificate Issue

    Posted Oct 12, 2023 06:15 AM

    Hi All,
    Im having clearpass 6.11.1 [FIPS] running in my environment, Im facing one issue, i was unable to import csr for HTTPS(ECC) certificate apart from self signed certificate,
    Anyone facing this issue, the error should be like as shown below
    Im using [NIST.SECG curve over a 256 bit prime feild (ec|secp256r1)] private key type and SHA-256 in Digest algorithm while generating CSR

    Comments are always welcomed





  • 2.  RE: Clearpass HTTPS(ECC) certificate Issue

    Posted Oct 12, 2023 09:27 AM

    6.11.1 has MANY bugs.  Not sure if this is one of them but before doing anything else I would patch ClearPass to the latest 6.11 patch.  

    That being said did you create the CSR on ClearPass or somewhere else?  Do you have a PEM/DER file to bind or a PKCS#12 file?




  • 3.  RE: Clearpass HTTPS(ECC) certificate Issue

    Posted Oct 12, 2023 10:48 AM
    Hi
    Yes i have created the CSR from clearpass itself and have pem file in hand

    Moreover what is the preferred latest patch for this version ? Also like you said im unable to change any ssh mode in this 6.11.1 version and tac also confirmed its a known issue





  • 4.  RE: Clearpass HTTPS(ECC) certificate Issue

    Posted Oct 12, 2023 01:37 PM

    The latest one




  • 5.  RE: Clearpass HTTPS(ECC) certificate Issue

    Posted Oct 13, 2023 11:36 AM
    Edited by Herman Robers Oct 13, 2023 11:36 AM

    That error that you see is a known issue when there are multiple CSRs outstanding, like if you generated a CSR and then before completing the import create a new CSR, the private key is not known. It's fixed in a later update of 6.11.

    You can either upgrade to a new version and try over, or reach out to TAC and they can through support mode probably recover the private key and then you can import the key with the certificate. So it depends if you can easily re-run the certificate request. Also, if you can create the key+csr externally, like with tools from your CA or OpenSSL, then you have the key + cert to import and you can avoid this known issue as well.

    Latest patch version for ClearPass 6.11 is 6.11.5 as of today.

    Hope this provides you enough options.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------