Security

 View Only
Expand all | Collapse all

Unable to import a Server Certificate into ClearPass

This thread has been viewed 124 times
  • 1.  Unable to import a Server Certificate into ClearPass

    Posted Jan 30, 2023 06:32 PM
    Hello there 

    I'm trying to follow this Obtaining and Installing a Signed Certificate From Active Directory article for CPPM v 6.11, however, I'm having issue when I try to import 

     a Server Certificate into ClearPass, and  it keeps showing 
    Private Key File must be specified


    When I try to download CSR, it doesn't download the private keys (as with older version of CPPM). It says that Private keys is stored in the system


    I don't know where can I specify the Private Key file 

    I can't find any recent documents that explain importing a Server Certificate into ClearPass for CPPM v 6.11.

    Can anyone help me to resolve this issue 
    Private Key File must be specified




  • 2.  RE: Unable to import a Server Certificate into ClearPass

    Posted Jan 30, 2023 06:48 PM
    so did you use CSR for this? in the CSR you need to type in a private key.
    Then when your AD CA signs it , you need to export that and then import it in ClearPass
    and for this you should use the same private key that you specified in CSR process.

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Unable to import a Server Certificate into ClearPass

    Posted Jan 31, 2023 03:40 AM
    Thanks for your reply.

    Yes, I used CSR for this. However, if I'm going to specify the private key password (same in CSR process & the one when I import it in ClearPass) it requires to upload the private key file as shown here :


    Where can I find this private key file if it's sorted in the system when I download CSR ?

    Also, if I change the upload method to use "Upload Certificate and Use Saved Private Key" it gives me this error :







  • 4.  RE: Unable to import a Server Certificate into ClearPass

    Posted Jan 31, 2023 07:15 AM
    When creating the CSR, the private key does not leave the CPPM, it is stored locally for 15 days, after which it is deleted, as described here.

    When importing the signed CSR, the upload method "Upload Certifikate and Use Saved Private Key" must be selected, as described here.

    If you want to install another certificate after creating the CSR, the stored private key will be deleted.

    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Unable to import a Server Certificate into ClearPass

    Posted Jan 31, 2023 10:19 AM
    I just tried the same with ClearPass 6.11 (HTTPS instead of EAP though), and that just works with the saved private key. Please make sure that the server and the type of certificate match between the CSR and import (Server Certificate / RADIUS/EAP Server Certificate).

    If it doesn't work, please reach out to Aruba Support as they can check what is happening here, fix your issue, and either clarify the documentation or get a bug filed.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Unable to import a Server Certificate into ClearPass

    Posted May 02, 2023 10:57 AM

    Hi

    I have just run into the same issue, on ClearPass 6.11.2, where we can't import the certificate on the server.


    Instead of troubleshooting the issue we created a new certificate request outside ClearPass and imported the certificate and private keys as separate PEM files instead.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: Unable to import a Server Certificate into ClearPass

    Posted May 09, 2023 04:21 PM

    Hi

    I have also run into the same issue on 6.11.1 - did you hear back from TAC with a fix?

    Thanks

    Kevin




  • 8.  RE: Unable to import a Server Certificate into ClearPass

    Posted Jun 26, 2023 10:46 AM

    hey all, just resolved the issue, to be honest its quite funny,

    first things first - in my DC that acts as a DNS i created a static A record that resolves to my clearpass server (cppm1-pub - 10.0.1.xxx)

    the second thing I have verified that the NTP in the server and in the CPPM is synced (i have edited the registry in the DC to point to an ntp pool address insted of the windows time server)

    then I created a CSR and on the windows cert srv (the one that is accessible via the web page http://x.x.x.x/certsrv) 

    I have signed the https certificate with the certificate template of a web server 

    after that the certificate were uploaded without any problems.

    always check your DNS / NTP configuration/




  • 9.  RE: Unable to import a Server Certificate into ClearPass

    Posted Jun 26, 2023 10:46 AM

    hey all, just resolved the issue, to be honest its quite funny,

    first things first - in my DC that acts as a DNS i created a static A record that resolves to my clearpass server (cppm1-pub - 10.0.1.xxx)

    the second thing I have verified that the NTP in the server and in the CPPM is synced (i have edited the registry in the DC to point to an ntp pool address insted of the windows time server)

    then I created a CSR and on the windows cert srv (the one that is accessible via the web page http://x.x.x.x/certsrv) 

    I have signed the https certificate with the certificate template of a web server 

    after that the certificate were uploaded without any problems.

    always check your DNS / NTP configuration/




  • 10.  RE: Unable to import a Server Certificate into ClearPass

    Posted 26 days ago

    Hi,

    Same issue in 6.11, when I try to import certificat on a subscriber (for EAP and https the private key is asked).

    If my understanding is correct the private key is located on the server which make the csr, so my questions is :

    • how can we deploy a wildcard certificate created from a CSR on  the Pub, on all others nodes ...as they don't have the private key stored locally
    • same question with EAP/radius which must be the same on all node

    Does i need to recreate a CSR for each node from the Pub with the CN of each node ?

    Brgds




  • 11.  RE: Unable to import a Server Certificate into ClearPass

    Posted 22 days ago

    I would recommend to generate your CSRs offline, if you have the capabilities and knowledge (openssl or other tooling). That would make it much easier to backup/store the private key and then import key+certificate into multiple ClearPass servers.

    Having said that, if you were able to generate key and CSR, get it signed and imported in the publisher (or other node where you generated the CSR), you can export it (make sure password is provided to export the private key with it); then import the p12 as PKCS#12 with key and certificate in one. Once you exported the p12, you can backup it as well.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 12.  RE: Unable to import a Server Certificate into ClearPass

    Posted 22 days ago

    Hello,

    Thks for your reply, I made an export of the Pub certificat and all working well for the import on other node.

    As you said, I think to genrate the CSR offline is the better solution. More flexible and we don't have to remenber which node have made the CSR.

    Many thanks for your reply and have a good day.

    Brgds