Security

Does anybody know what the "official" plan is around Automation of Certificate issuance from CAs for Clearpass Radius/EAP certificate and Guest Portal?

The new Validity and Data reuse period has been passed and it will require replacement every 47 days.

This timeframe requires Admins to automate. on both Server side and client side for public certificates.

*SC081v3 is a CA/Browser Forum decision to reduce the maximum lifespan of publicly trusted TLS and SSL certificates to 47 day

API is already available to automate this.  Note, this decision by CA/B only applies to public CA, internal PKI can still issue whatever validity they want.

Does anybody know what the "official" plan is around Automation of Certificate issuance from CAs for Clearpass Radius/EAP certificate and Guest Portal?

The new Validity and Data reuse period has been passed and it will require replacement every 47 days.

This timeframe requires Admins to automate. on both Server side and client side for public certificates.

*SC081v3 is a CA/Browser Forum decision to reduce the maximum lifespan of publicly trusted TLS and SSL certificates to 47 day

I understand we can do it via API, but that requires building API environment. These requirements really need to be addressed from HPE/Aruba and automation needs to be product delivered.  30 day replacement is unsustainable and many customers need public certificates.

API is already available to automate this.  Note, this decision by CA/B only applies to public CA, internal PKI can still issue whatever validity they want.

Does anybody know what the "official" plan is around Automation of Certificate issuance from CAs for Clearpass Radius/EAP certificate and Guest Portal?

The new Validity and Data reuse period has been passed and it will require replacement every 47 days.

This timeframe requires Admins to automate. on both Server side and client side for public certificates.

*SC081v3 is a CA/Browser Forum decision to reduce the maximum lifespan of publicly trusted TLS and SSL certificates to 47 day

I understand we can do it via API, but that requires building API environment. These requirements really need to be addressed from HPE/Aruba and automation needs to be product delivered.  30 day replacement is unsustainable and many customers need public certificates.

API is already available to automate this.  Note, this decision by CA/B only applies to public CA, internal PKI can still issue whatever validity they want.

Does anybody know what the "official" plan is around Automation of Certificate issuance from CAs for Clearpass Radius/EAP certificate and Guest Portal?

The new Validity and Data reuse period has been passed and it will require replacement every 47 days.

This timeframe requires Admins to automate. on both Server side and client side for public certificates.

*SC081v3 is a CA/Browser Forum decision to reduce the maximum lifespan of publicly trusted TLS and SSL certificates to 47 day

This also is the exact reason that a private CA is recommended for your RADIUS/EAP certificate. In addition to the need to replace them every year (now) and more often in the future (BTW that is not next year but will take longer), you don't want to risk that the root CA changes at some point in time as that would require that you reconfigure all of your clients. The change of a root CA happens more often with public CAs than with your own private CA where you have the full control.

I know that the product and other relevant teams within HPE Aruba Networking are aware of this upcoming change, but please follow Carson's guidance if you need to know more.

I understand we can do it via API, but that requires building API environment. These requirements really need to be addressed from HPE/Aruba and automation needs to be product delivered.  30 day replacement is unsustainable and many customers need public certificates.

API is already available to automate this.  Note, this decision by CA/B only applies to public CA, internal PKI can still issue whatever validity they want.

Does anybody know what the "official" plan is around Automation of Certificate issuance from CAs for Clearpass Radius/EAP certificate and Guest Portal?

The new Validity and Data reuse period has been passed and it will require replacement every 47 days.

This timeframe requires Admins to automate. on both Server side and client side for public certificates.

*SC081v3 is a CA/Browser Forum decision to reduce the maximum lifespan of publicly trusted TLS and SSL certificates to 47 day

I agree our internal CA would work for some use cases, but we have way to many BYOD devices to expect customers to understand how to trust and/or install a private CA.

We can do API and will, but what happens when I call support and I have certbot running on an Apple 2e and cant get my certificates working (I'm exaggerating). I brought this up because we want a delivered solution that will be supported, on product roadmap and upgrades with product.

I think most enterprises are using Public CAs for guest and BYOD and this change in the industry has created a gap in Clearpass as a delivered solution. We have time before these windows tighten, but putting the responsibility on customer for developing an additional environment doesn't make sense.

HPE/Aruba should be making this a priority and integrated with device. 

This also is the exact reason that a private CA is recommended for your RADIUS/EAP certificate. In addition to the need to replace them every year (now) and more often in the future (BTW that is not next year but will take longer), you don't want to risk that the root CA changes at some point in time as that would require that you reconfigure all of your clients. The change of a root CA happens more often with public CAs than with your own private CA where you have the full control.

I know that the product and other relevant teams within HPE Aruba Networking are aware of this upcoming change, but please follow Carson's guidance if you need to know more.

I understand we can do it via API, but that requires building API environment. These requirements really need to be addressed from HPE/Aruba and automation needs to be product delivered.  30 day replacement is unsustainable and many customers need public certificates.

API is already available to automate this.  Note, this decision by CA/B only applies to public CA, internal PKI can still issue whatever validity they want.

Does anybody know what the "official" plan is around Automation of Certificate issuance from CAs for Clearpass Radius/EAP certificate and Guest Portal?

The new Validity and Data reuse period has been passed and it will require replacement every 47 days.

This timeframe requires Admins to automate. on both Server side and client side for public certificates.

*SC081v3 is a CA/Browser Forum decision to reduce the maximum lifespan of publicly trusted TLS and SSL certificates to 47 day

The point that I was trying to make is that commenting here isn't going to change anything.  Please contact your account manager, let them know about your concerns, and have them share those concerns in the proper way with product management.

That's how this process happens, that's how we get visibility and focus on a desired feature.

I agree our internal CA would work for some use cases, but we have way to many BYOD devices to expect customers to understand how to trust and/or install a private CA.

We can do API and will, but what happens when I call support and I have certbot running on an Apple 2e and cant get my certificates working (I'm exaggerating). I brought this up because we want a delivered solution that will be supported, on product roadmap and upgrades with product.

I think most enterprises are using Public CAs for guest and BYOD and this change in the industry has created a gap in Clearpass as a delivered solution. We have time before these windows tighten, but putting the responsibility on customer for developing an additional environment doesn't make sense.

HPE/Aruba should be making this a priority and integrated with device. 

This also is the exact reason that a private CA is recommended for your RADIUS/EAP certificate. In addition to the need to replace them every year (now) and more often in the future (BTW that is not next year but will take longer), you don't want to risk that the root CA changes at some point in time as that would require that you reconfigure all of your clients. The change of a root CA happens more often with public CAs than with your own private CA where you have the full control.

I know that the product and other relevant teams within HPE Aruba Networking are aware of this upcoming change, but please follow Carson's guidance if you need to know more.

I understand we can do it via API, but that requires building API environment. These requirements really need to be addressed from HPE/Aruba and automation needs to be product delivered.  30 day replacement is unsustainable and many customers need public certificates.

API is already available to automate this.  Note, this decision by CA/B only applies to public CA, internal PKI can still issue whatever validity they want.

Does anybody know what the "official" plan is around Automation of Certificate issuance from CAs for Clearpass Radius/EAP certificate and Guest Portal?

The new Validity and Data reuse period has been passed and it will require replacement every 47 days.

This timeframe requires Admins to automate. on both Server side and client side for public certificates.

*SC081v3 is a CA/Browser Forum decision to reduce the maximum lifespan of publicly trusted TLS and SSL certificates to 47 day

That makes sense chulcher, not the best place for this discussion. I just figured many HPE/Aruba developers and engineers watch these discussions and thought some might have some "inside" track of what the plan will be in the future. 

Thank You, for your feedback.

The point that I was trying to make is that commenting here isn't going to change anything.  Please contact your account manager, let them know about your concerns, and have them share those concerns in the proper way with product management.

That's how this process happens, that's how we get visibility and focus on a desired feature.

I agree our internal CA would work for some use cases, but we have way to many BYOD devices to expect customers to understand how to trust and/or install a private CA.

We can do API and will, but what happens when I call support and I have certbot running on an Apple 2e and cant get my certificates working (I'm exaggerating). I brought this up because we want a delivered solution that will be supported, on product roadmap and upgrades with product.

I think most enterprises are using Public CAs for guest and BYOD and this change in the industry has created a gap in Clearpass as a delivered solution. We have time before these windows tighten, but putting the responsibility on customer for developing an additional environment doesn't make sense.

HPE/Aruba should be making this a priority and integrated with device. 

This also is the exact reason that a private CA is recommended for your RADIUS/EAP certificate. In addition to the need to replace them every year (now) and more often in the future (BTW that is not next year but will take longer), you don't want to risk that the root CA changes at some point in time as that would require that you reconfigure all of your clients. The change of a root CA happens more often with public CAs than with your own private CA where you have the full control.

I know that the product and other relevant teams within HPE Aruba Networking are aware of this upcoming change, but please follow Carson's guidance if you need to know more.

I understand we can do it via API, but that requires building API environment. These requirements really need to be addressed from HPE/Aruba and automation needs to be product delivered.  30 day replacement is unsustainable and many customers need public certificates.

API is already available to automate this.  Note, this decision by CA/B only applies to public CA, internal PKI can still issue whatever validity they want.

Does anybody know what the "official" plan is around Automation of Certificate issuance from CAs for Clearpass Radius/EAP certificate and Guest Portal?

The new Validity and Data reuse period has been passed and it will require replacement every 47 days.

This timeframe requires Admins to automate. on both Server side and client side for public certificates.

*SC081v3 is a CA/Browser Forum decision to reduce the maximum lifespan of publicly trusted TLS and SSL certificates to 47 day

I agree our internal CA would work for some use cases, but we have way to many BYOD devices to expect customers to understand how to trust and/or install a private CA.

We can do API and will, but what happens when I call support and I have certbot running on an Apple 2e and cant get my certificates working (I'm exaggerating). I brought this up because we want a delivered solution that will be supported, on product roadmap and upgrades with product.

I think most enterprises are using Public CAs for guest and BYOD and this change in the industry has created a gap in Clearpass as a delivered solution. We have time before these windows tighten, but putting the responsibility on customer for developing an additional environment doesn't make sense.

HPE/Aruba should be making this a priority and integrated with device. 

This also is the exact reason that a private CA is recommended for your RADIUS/EAP certificate. In addition to the need to replace them every year (now) and more often in the future (BTW that is not next year but will take longer), you don't want to risk that the root CA changes at some point in time as that would require that you reconfigure all of your clients. The change of a root CA happens more often with public CAs than with your own private CA where you have the full control.

I know that the product and other relevant teams within HPE Aruba Networking are aware of this upcoming change, but please follow Carson's guidance if you need to know more.

I understand we can do it via API, but that requires building API environment. These requirements really need to be addressed from HPE/Aruba and automation needs to be product delivered.  30 day replacement is unsustainable and many customers need public certificates.

API is already available to automate this.  Note, this decision by CA/B only applies to public CA, internal PKI can still issue whatever validity they want.

Does anybody know what the "official" plan is around Automation of Certificate issuance from CAs for Clearpass Radius/EAP certificate and Guest Portal?

The new Validity and Data reuse period has been passed and it will require replacement every 47 days.

This timeframe requires Admins to automate. on both Server side and client side for public certificates.

*SC081v3 is a CA/Browser Forum decision to reduce the maximum lifespan of publicly trusted TLS and SSL certificates to 47 day

It's too hard for end users to configure WPA Enterprise their selves in a secure way. We see many people still using PEAP/MSCHAPv2 without proper certificate validation, and without an automated deployment tool it's close to impossible to make this work in a secure way. End users just accept whatever certificate with the risk of their credentials leaking. You will need an onboarding tool in practice, and if you need an onboarding tool, it's trivial to deploy the private root CA with it and move to EAP-TLS in the same run to really secure the authentication. I'd still strongly recommend against using public certificates for EAP.

I use the API approach myself to deploy/renew let's encrypt certificates in my lab (the HTTPS ones, not the EAP) with certificate requests/ACME running on an internet reachable system. The problem of ACME and other automated renewal processes is that most methods requires some form of domain control or reachability from the public internet; where domain control is not something I would put in a product that has nothing to do with it, and making ClearPass internet accessible is also not something I would recommend, very similar to any other on-premises product. If you have a bullet-proof idea on how to solve this in a simple way, the product people in HPE would probably be listening carefully to you; I just am not aware of such a solution, for the reasons mentioned.

If you feel other or more urgent attention is needed, work with your local HPE contacts; this is not something that the product teams can discuss in public at the moment, but they may be open to discuss in a personal discussion.

I agree our internal CA would work for some use cases, but we have way to many BYOD devices to expect customers to understand how to trust and/or install a private CA.

We can do API and will, but what happens when I call support and I have certbot running on an Apple 2e and cant get my certificates working (I'm exaggerating). I brought this up because we want a delivered solution that will be supported, on product roadmap and upgrades with product.

I think most enterprises are using Public CAs for guest and BYOD and this change in the industry has created a gap in Clearpass as a delivered solution. We have time before these windows tighten, but putting the responsibility on customer for developing an additional environment doesn't make sense.

HPE/Aruba should be making this a priority and integrated with device. 

This also is the exact reason that a private CA is recommended for your RADIUS/EAP certificate. In addition to the need to replace them every year (now) and more often in the future (BTW that is not next year but will take longer), you don't want to risk that the root CA changes at some point in time as that would require that you reconfigure all of your clients. The change of a root CA happens more often with public CAs than with your own private CA where you have the full control.

I know that the product and other relevant teams within HPE Aruba Networking are aware of this upcoming change, but please follow Carson's guidance if you need to know more.

I understand we can do it via API, but that requires building API environment. These requirements really need to be addressed from HPE/Aruba and automation needs to be product delivered.  30 day replacement is unsustainable and many customers need public certificates.

API is already available to automate this.  Note, this decision by CA/B only applies to public CA, internal PKI can still issue whatever validity they want.

Does anybody know what the "official" plan is around Automation of Certificate issuance from CAs for Clearpass Radius/EAP certificate and Guest Portal?

The new Validity and Data reuse period has been passed and it will require replacement every 47 days.

This timeframe requires Admins to automate. on both Server side and client side for public certificates.

*SC081v3 is a CA/Browser Forum decision to reduce the maximum lifespan of publicly trusted TLS and SSL certificates to 47 day