Security

Hello,

We are looking at getting a Commercial Certificate for our CPPM. This will be our first Commercial Certificate so we want to make sure we get the right one.

Our setup is as follows:

• We have two CPPM's which will be clustered
• Hostnames (examples) - CPPM 1: cppm1.server.com, CPPM 2: cppm2.server.com
• The two CPPM's are in different physical locations
• We will be using a common DNS name to resolve to the correct CPPM depending upon where you are - cppm.server.com

We have been looking at the certificates offered by Verisign. But we are not 100% sure on what kind of certificate we should be purchasing. I think we will need two certificates, one for each CPPM, but how will the protection of the URL work? The option for Verisign called Secure Site SSL Certificates seems to be an option that makes sense for our scenario. But we are still not 100% sure.

Is there any documentation from Aruba that talks specifically about the type of certificate we should be looking at? Or what the certificate should cover in terms of URLs?

Hopefully my question makes sense. I am still learning about Certificates and how they are to be setup.

Thank you,

Cheers

I'd get the cert you're talking about (we get ours from GoDaddy -- not a plug, just a note that we haven't had any problems, and they weren't too expensive) but use the Common Name = cppm.whatever.com and then declare Subject Alternative Names = cppm1 and cppm2 etc.

This way you can use the same cert on both servers (I think -- someone will correct me if I'm getting this wrong!)

Hey msabin,

Thank you for your response!

I didn't realize we may be able to get away with only one certificate that is great!

Out of curiousity, have your used your GoDaddy cert with Apple devices?

I know that in order to use HTTPS in the Onboarding process with Apple devices we need a commerical cert. and I thought I heard heard Apple can even be picky about the commercial cert.

So just want to make sure GoDaddy will work okay with the Apple devices.

Thanks again the information!

Cheers

I can confirm that GoDaddy certs will work for Apple device onboarding under ClearPass 6.1.   There was an issue with iOS onboarding using GoDaddy certs in CP 6.0 because the GoDaddy root CA was missing a Common Name.  This has been fixed in the latest version of ClearPass.

Thanks xdrewpjx,

Much appreciated for confirming this!

GoDaddy seems like the better choice at this point due to their pricing being way cheaper then Verisign.

GoDaddy is certainly the cheapest.  

I have also used certs from Digicert, GeoTrust, and Comodo CAs and had no issues with onboarding.  

That is good to know as well. 

This is my first experience with commercial certs. so I am trying to figure out as much detail as possible!

Would you be able to elaborate on how you setup the commercial cert. on your CPPM?

Is it just a simple process? After your get your commercial cert. you just import it under the CPPM as the Server Cert?

When you import it does it show the entire trust chain?

Not all vendors will send you a cert that has the full trust chain. You will need to combine the certs if it does not. 

-----BEGIN CERTIFICATE-----

... (certificate for your server)...

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

... (the intermediate certificate)...

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

... (the root certificate for the CA)...

-----END CERTIFICATE-----

You will also need to add the root and intermediate (if there is one) to the CPPM certificate trust list

Administration » Certificates » Trust List

For testing purposes I use https://www.startssl.com/ 

If you own the domain and can verify you own it then you can get a free public cert. ""again this if for testing"" They do not combine the chain so you will need to do that yourself.

Hey tarnold,

Wow thats amazing! thanks for the screenshot!

I think that makes sense to me!

We do have a test environment so it might be really useful for us to try out this startssl just as a test to see how things will go before moving into production.

When you say "You will also need to add the root and intermediate (if there is one)...." are you referring to the section on the CPPM under CPPM > Administration > Certificates > Trust List ?

That is for both..

Trust list and when you import the certificate into the CPPM. Remember you only need a public cert on the CPPM side. 

Oh okay!

So when we get our  new Certificate we have to make sure that we import it in both locations.

Since we are in a cluster, under the CPPM > Administration Certificates > Trust List section is it enough to upload the certificates here and then these should automatically be sent over to the Subscriber?

Thank you again for all the help!

Cheers

Hey,

Sorry I managed to figure it out. You have to strip away the passphrase and private key from the pk12 when you convert it.

I used the following command in openssl to get a successful conversion:

openssl pkcs12 -nodes -clcerts -nokeys -in cert.p12 -out cert.pem

EDIT ========================================================= EDIT

Hi,

We went ahead and got a commercial certificate from Go Daddy.

We were able to successfully upload it into our test environment on the side of the CPPM.

We we try and upload it in the Onboarding section as a "Trusted Certificate" ClearPass Onboard keeps complaining

that "The certificate is not in PEM format". 

We used openssl to convert the commercial cert we received to a PEM certificate and it will still not accept it.

When we convert the cert from pk12 to pem is there something special that needs to be done? Should the cert not include the entire certificate chain? Should it only include the client cert?

Thank you

Thanks for the openssl command string, that helps me (with a different but related problme)

No problem at all.

Glad it could help you out!

Hey,

This is an older topic I had started but I had another question regarding Commercial Certs.

We yet again ran into an issue with Apple devices and our Go Daddy commercial cert.

We discovered that we have to include a cert bundle which contains two Go Daddy certs "Go Daddy Class 2 Certification Authority" and "Go Daddy Secure Certificate Authority"

Apple appears not to trust the "Go Daddy Secure Certificate Authoriy". So we had to install the cert bundle in order to get the Onboard process working. If we leave out the cert bundle that good old HTTPS server cert error appears while trying to install the profile.

I was wondering for the guys who have commercial ca's are you required as well to install some sort of cert bundle to make sure the entire trust chain is trusted?

I'm an idiot!

I figured it out. In our case we did need to include the trust chain.

So I just did this:

#cp ourcert.crt ourcert_bundle.crt
#cat ourcert.crt > ourcert_bundle.crt
#cat gd_bundle.crt >> ourcert_bundle.crt

The gd_bundle.crt is the cert bundle from go daddy.

Then I imported the ourcert_bundle.crt into the CPPM. The Server Certificate, Intermediate CA, and Root CA all now show under "Server Certificate"

Our Apple and Android devices are no longer complaining about not trusting the cert on the CPPM.

The worst part is now that I have done this I remember doing this the last time. But for some reason for the life of me I couldn't remember it :(

Thanks for the help!

Cheers

------------------------------------------------------------------------ EDIT

I think there is something wrong with how the certificate is loaded on the CPPM.

When we issue the command below it spits out a bunch of errors:

openssl s_client -connect <domain name>:443
 
depth=0 OU = Domain Control Validated, CN = <domain name>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = <domain name>
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = <domain name>
verify error:num=21:unable to verify the first certificate
verify return:1

 When we upload the commercial cert we loaded the "cert bundle" provided by Go Daddy into the "Trust List" of the CPPM.

Does the certificate that we upload need to include the trust chain as well? Or just the certificate issued by our CA?

When it comes to the wonderful world of Certs....

It all comes down to a trust. :smileyhappy:

If the client doesn't have the root or intermediate certs in its trust list for the browsers you will get the wonderful cert error. The issue that I am seeing the most is that a lot of the major vendors are now adding additional intermediates that are not in the trust list.

If that happens then you will need to combine the certs into a single cert.

---servercert

---intermediate

---Root CA

"...the wondering world of certs..." indeed :smileyvery-happy:

What you describe makes total sense!

What was frustrating was that I had loaded the trust chain in the Trust List of the CPPM thinking that that was enough for the cert to install properly. I didn't realize (and had completely forgot) that the entire trust chain needed to be inside our commercial CA.

At the end of the day I admit that I don't know all that much about certs and am learning the fly. I still don't fully understand what needs to be included in the certs and in what situations it applies. It is an on going learning process that is for sure. And only having the opportunity to work on it once in a blue moon doesn't help either.

The fact that the major vendors are adding additional intermediates that are not in the list will be incredible frustrating. Especially since updating client devices with certs, at least from a helpdesk stand point, isn't always the easiest thing in the world.

Needless to say I will be documenting this experience once and for all in our company wiki so I don't forget and have to bug you guys again :smileylol:

Cheers

Bump to remind users about certs and cert chains.