Security

HI, 

Can someone please advise on the below error message and how to resolve this on clearpass:

There are errors with the server certificate configuration that will prevent devices from provisioning or authenticating.

The clearpass HTTPS server root certificate is not trusted by apple. This will cause enrollment over HTTPS to fail on IOS devices.
The clearpass HTTPS server root certificate is not trusted by apple. This will cause enrollment over HTTPS to fail on IOS devices.

Have a self signed cert for both server and radius. We have re-newed the self signed cert for server, but not for radius. 

Please advise on what needs to be done for this. 

Hi

The self signed certificate on Clearpass will always give those warnings as apple devices do not natively trust the self signed certificate. You would need to export the certificate chain from clearpass and install it onto the apple devices before they try and connect/onboard.

If you want to have seamless on-boarding of IOS devices then you really need to install a trusted third party certificate that apple supports natively. Here is the link to the most up to date certificate authorities that apple supports.

https://support.apple.com/en-us/HT204132

I typically use Verisign when I am setting up clearpass. Depending on what version of Clearpass you are running you can have a trusted third party certificate as the web server certificate and then use the self signed certificate for the radius services.

There is a technot under the Clearpass Support documentation called CPPM - Certificates 101 Technote V1.2.pdf but I am not sure if I am allowed to download it and post it here. It goes into further details and explans the process for you.

I hope that helps.