Security

Hi all,

 

I need a help from you guys for the following issue

 

We have self signed certificate on the clear pass which expires in one year . We have onboarded around 70 devices.

 

Now if i create a new CSR with same attributes as the old one and signed it with same authority  . The authority which signed the old one. And i import that certificate(which is valid for 5 years)  in the place of old server certificate .

 

Now the existing onboarded devices should be reprovisioned or will it validate with new certificate which has same attributes as the old one?? 

Could anyone explain me how to achieve that with out reprovisiong the devices !!!! 

 

Cheers

Sri

 

 

 

The ClearPass server certificate and the Onboard CA are two different things.   If you are talking about the self-signed certificate under Administration --> Certificates --> Server Certificates this is what is used for HTTPS and EAP termination.

The CA for OnBoarding is located under the Guest side of things.  Depending on your version, it may appear under OnBoard + WorkSpace --> Initial Setup --> Certifiate Authorities.   The level may vary for versions without 6.2 that don't have WorkSpace.

 

This is the Certificate Authority which signs and issues certificates to OnBoard devices.  However, if you are pushing out certificate trusts through your Network Settings (for the above EAP certificate), you may need to find a way to get that on the devices.

 

To verify, check one of your OnBoard certificates to see what CA issued it and what the expiration time is.

The issue is the cert chain will now be broken and if you are checking OCSP or validating the cert it will error out. What you could do is

 

1. renew the curent cert

2. create a new certificate authority to

        a. provision new devices

        b. slowly migrate old devices. 

             1. go into certificate management and click on the device you want to migrate and delete certificate

             2. or have them onboard and have CPPM trust both until the old one expires.

 

 

In here, Onboard CA signs and issues the certificates and it is pushed through network settings. expiration time for client certificate is one year from issued date.

My query is server certificate expires on aug 2014, but the client certificate expires on say dec 2014.When server certificate expires,i need to  create a new CSR and get it signed by onboard CA. and i have import to the policy manager. After creating a new CSR with same CN as old one. 
Now how about the existing onboarded device which has client certificate expires on dec 2014. How will it establish trust with new server certificate ??? or else as server certificate and client certificate is trusted and signed by onboard CA ,it gets authenticated normally like how it is getting access before installing new server certificate???or else do i need to reprovision the existing onboarded device(to push the new ccertificate)?????

So you do not have a publicly signed cert on the CPPM side? The issue you will have is that when you do a CSR for the cppm cert and install it then none of you device that are provisioned will trust CPPM.

 

What you need to do is click on the client cert in CPPM and post here what the trust chain is. (Your screen may look different. Im running 6.2)

 

 

This will show you what the clients currently trust on top of the server cert.

 

Unfortunately I think the best option is to reprovision the devices so they all have a current trust chain that is based on the longer cert time. You can setup the new CA and have it set to 5 years and do a CSR for CPPM that will also be 5 years and then when you are done you can change the cert expiration time for clients either in CPPM in your service or just edit your CA to provision what ever time limit you want to give the clients.

 

 

Yes , we don't have public signed CA. And when i create new CSR and if i get it signed by same authority which signed old CPPM cert.

And i am not changing first two certifcate authorities(signed and signing). I am trying to change the server certificate which is only valid for 1 year. I just wanna make it 5 years and later i will edit certificate authority to change the client certificate valdiity to 1yr.

Or else is there any way to extend the existing certificate for 5 years???

 

Hi all

 

I have a similar problem my certificate in my web explorer displays the following error.

 

can you help me whit this problem and tell me if its for my certificate of my clearpass??

 

if its for my certificate can you tell me the correct procediment for the solution?

 

 

Thanks.

 

 

 

 

 

 

please start a new thread and explain your situation a bit better. your case probably is different then the one of the original poster.

 

also explain when this error occurs.

Hi I have created two CA1 & CA2 for Clearpass Onboard & i'm using CA1 for Local Device Provisioning , i want to delete CA2 as i'm not using it , unable to find the option to delete CA2.

 

I'm using CPPM Version 6.5.3 (CP-500) , any help is really appreciated.

 

Thanks

Amit

Under Certificate Authorities, click on the CA name and there should be a delete button to the right.

Sent from Nine