Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Unable to import a Server Certificate into ClearPass

This thread has been viewed 100 times
  • 1.  Unable to import a Server Certificate into ClearPass

    Posted Jan 30, 2023 06:32 PM
    Hello there 

    I'm trying to follow this Obtaining and Installing a Signed Certificate From Active Directory article for CPPM v 6.11, however, I'm having issue when I try to import 

     a Server Certificate into ClearPass, and  it keeps showing 
    Private Key File must be specified


    When I try to download CSR, it doesn't download the private keys (as with older version of CPPM). It says that Private keys is stored in the system


    I don't know where can I specify the Private Key file 

    I can't find any recent documents that explain importing a Server Certificate into ClearPass for CPPM v 6.11.

    Can anyone help me to resolve this issue 
    Private Key File must be specified




  • 2.  RE: Unable to import a Server Certificate into ClearPass

    EMPLOYEE
    Posted Jan 30, 2023 06:48 PM
    so did you use CSR for this? in the CSR you need to type in a private key.
    Then when your AD CA signs it , you need to export that and then import it in ClearPass
    and for this you should use the same private key that you specified in CSR process.

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Unable to import a Server Certificate into ClearPass

    Posted Jan 31, 2023 03:40 AM
    Thanks for your reply.

    Yes, I used CSR for this. However, if I'm going to specify the private key password (same in CSR process & the one when I import it in ClearPass) it requires to upload the private key file as shown here :


    Where can I find this private key file if it's sorted in the system when I download CSR ?

    Also, if I change the upload method to use "Upload Certificate and Use Saved Private Key" it gives me this error :







  • 4.  RE: Unable to import a Server Certificate into ClearPass

    Posted Jan 31, 2023 07:15 AM
    When creating the CSR, the private key does not leave the CPPM, it is stored locally for 15 days, after which it is deleted, as described here.

    When importing the signed CSR, the upload method "Upload Certifikate and Use Saved Private Key" must be selected, as described here.

    If you want to install another certificate after creating the CSR, the stored private key will be deleted.

    ------------------------------
    Regards,

    Waldemar
    ACCX # 1377, ACEP, ACA - Network Security
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: Unable to import a Server Certificate into ClearPass

    EMPLOYEE
    Posted Jan 31, 2023 10:19 AM
    I just tried the same with ClearPass 6.11 (HTTPS instead of EAP though), and that just works with the saved private key. Please make sure that the server and the type of certificate match between the CSR and import (Server Certificate / RADIUS/EAP Server Certificate).

    If it doesn't work, please reach out to Aruba Support as they can check what is happening here, fix your issue, and either clarify the documentation or get a bug filed.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: Unable to import a Server Certificate into ClearPass

    Posted May 02, 2023 10:57 AM

    Hi

    I have just run into the same issue, on ClearPass 6.11.2, where we can't import the certificate on the server.


    Instead of troubleshooting the issue we created a new certificate request outside ClearPass and imported the certificate and private keys as separate PEM files instead.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACDP , ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 7.  RE: Unable to import a Server Certificate into ClearPass

    EMPLOYEE
    Posted May 09, 2023 04:21 PM

    Hi

    I have also run into the same issue on 6.11.1 - did you hear back from TAC with a fix?

    Thanks

    Kevin




  • 8.  RE: Unable to import a Server Certificate into ClearPass

    Posted Jun 26, 2023 10:46 AM

    hey all, just resolved the issue, to be honest its quite funny,

    first things first - in my DC that acts as a DNS i created a static A record that resolves to my clearpass server (cppm1-pub - 10.0.1.xxx)

    the second thing I have verified that the NTP in the server and in the CPPM is synced (i have edited the registry in the DC to point to an ntp pool address insted of the windows time server)

    then I created a CSR and on the windows cert srv (the one that is accessible via the web page http://x.x.x.x/certsrv) 

    I have signed the https certificate with the certificate template of a web server 

    after that the certificate were uploaded without any problems.

    always check your DNS / NTP configuration/




  • 9.  RE: Unable to import a Server Certificate into ClearPass

    Posted Jun 26, 2023 10:46 AM

    hey all, just resolved the issue, to be honest its quite funny,

    first things first - in my DC that acts as a DNS i created a static A record that resolves to my clearpass server (cppm1-pub - 10.0.1.xxx)

    the second thing I have verified that the NTP in the server and in the CPPM is synced (i have edited the registry in the DC to point to an ntp pool address insted of the windows time server)

    then I created a CSR and on the windows cert srv (the one that is accessible via the web page http://x.x.x.x/certsrv) 

    I have signed the https certificate with the certificate template of a web server 

    after that the certificate were uploaded without any problems.

    always check your DNS / NTP configuration/