Occasional Contributor II

CPPM 6.3 certificates, ssl, radius, onboard



I am setting up CPPM for our enviornment with the following configuration

one requirement is to support PEAP clients and well as onboarded clients on the same SSID


CPPM version 6.3


cppmd1                   IN      A

cppmd2                   IN      A

cppmd3                   IN      A

site1clearpass        IN      A

site2clearpass        IN      CNAME

cppm1                     IN      A

cppm2                     IN      A

cppm3                     IN      A



Campus 1:


mgmt interface

data interface

VIP interface



mgmt interface

data interface

VIP interface




mgmt interface

data interface


Our requirements:

Create certs to be used for ssl and radius authentication for peap

and use internal CA for onboarding and assigning certificates


Server1 cert publisher





Server2 cert Subscriber





questions I have

does the VIP domain name have to be included in the SAN?

can I just use the cert for server1 for both server1 and server2?

does the order matter

does this config make sense for a cluster that has both mgt and data interfaces using a VIP


Server3 cert Subscriber




Do I need to add the server IP info in the SAN or will domain names be enough?




Guru Elite

Re: CPPM 6.3 certificates, ssl, radius, onboard

Feel free to download the CPPM Certificates 101 Technote here:


It will have the answers to a number of your questions.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars

Re: CPPM 6.3 certificates, ssl, radius, onboard

Many thanks for taking the time to document your requirements so carefully. I wanted to ask if after reading my TechNote that Colin pointed you at you had any outstanding questions?


Also here my take on your questions regardless :)


YES you can use the same cert on the PUB and the SUB in site1. 


Re the SAN field add EVERYTHING and MORE..... reason is if you need to go back and re-issue the server cert because you decided to get a new SUB for site1, what a pain.... so think carfully about how you build you CSR.... add the IP@ as well....


Best Regards

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II

Re: CPPM 6.3 certificates, ssl, radius, onboard

Hi Dannyjump


It is the document I have been searching for.It is extremely helpful.


Many Thanks



Occasional Contributor II

Re: CPPM 6.3 certificates, ssl, radius, onboard

It seems the game has changed for internal IPs

Search Airheads
Showing results for 
Search instead for 
Did you mean: