Security

Our Clearpass RADIUS certificate is expiring soon, currently if i navigate to Administration->Certificates->Certificate Store->Server Certificates  i see two certificates:

1.- Our soon to expire certificate (signed by our local CA)

2.- Root CA certificate which is our local CA

I exported this certificate  before making any changes so i got a  .P12 file that i can use if i need to revert to it.

In order to renew my certificate from the same page i Generated a new CSR and then i went i had it signed by our local CA which is the same that signed the current one, i downloaded both  base64 and DER .cer files as well as the chain .p7b. 

When i try to import my new cert i use the option  Server Certificate, the name of our server, Usage = RADIUS/EAP Server Certificate and Upload Certificate and use Saved private key.

The certificate uploads fine but i do not see the Root CA down like my current scenario. I have not done enough testing to see if this a problem or not but it is a concern, in addition, our local CA is listed under the Trust List with enabled status and everything.

I am thinking that i have to change the format of my .CER to  .P12 but for that i would need the private key that is stored in Clearpass.

I troubleshooted with Support but they achived the same results as me.

 

Any ideas?

 

You should see the issuing CA when the certificate is imported into ClearPass. And if the issuing CA and intermediates (if there are any) are imported, they should automatically show up. Are you sure the certificate is issued by the same root CA? Could it be that your CA issued a CA certificate instead of a server (Endpoint Entity) certificate?

 

It is hard to tell what is wrong from here, but you should not import the CA as a P12 (which includes the private key) into ClearPass. Just the PEM (.pem/.crt) should be good for Root or Intermediates. If the certificate is accepted during the import, you should be good as it will check the intermediate and private key match. It should show the root and its intermediates in the ClearPass UI nevertheless.

 

If you have the case still open, I would escalate and ask for an engineer experienced with certificates to verify that all is right. Without the exact files and access to your system, this cannot be answered with confidence.

Thank you Herman,

When i open the .cer file i can see both cer and CA under certification tab, everthing looks in order, the certificate imports fine without issues or warnings but i only see the server certificate and not the local root CA. The process is pretty straight forward, create the CSR, go to local CA paste, select Web Server as template then click submit after that all i have to do is download the files and then import in Clearpass but no luck.

I am on ClearPass Policy Manager 6.8.0.109592 by the way.

 

thanks

So i when and checked in my local CA  crtsrv and under issued certificates i do not see any of the certificates i have tried, alghough during the signing process i get to download them they do not show up in crtsrv as  "issued".

I lied, its there under crtsrv Issued Certificates

When you imported your RADIUS certificate, you should see the 'Issued By' with your root CA and you should see your RootCA:

This is an example with an internal CA that directly signed my RADIUS certificate. If it doesn't look like that, I would have it double checked by Aruba TAC or another professional.

Thanks Herman,

I requetsed by case to be elevated and worked with an engineer to resolve this, so apparently the cer signed by my Local CA only contains the server (i dont know why maybe is the template i used? web ) in order to have the Local CA show in clearpass after importing we had to extract the server portion and the Root portion and then combining into one file, here are the steps:

 

 

Good that you fixed it. I'm sure there are some shortcuts in what you described, but if it works, it works which is most important.

 

Could it be that you imported the server certificate into the Trust List? In that case, it could be that during the import the certificates is considered the root itself, thus no adding of the root in the chain. What you did now is import the certificate + the root in a single file, which works but should not be needed. I won't touch it as it looks good now.

 

 

Hi I have a question, as I saw the below screenshot the validity is different with the Root CA. What will be the impact if the above certificate is expiring soon and the Root CA is not. Should we need to renew or import new cert? 

 

Thanks.

 

Mich

The one marked with the yellow circle is the actual server certificate, and if that is expiring you should renew the certificate or request a new one with the same name and with the same CA.

 

If one of the certificates in the chain expires, clients will no longer be able to connect. Root CAs in general have a long running time (10s of years) and are stored in your browser or operating systems. Intermediate CAs are more dynamic, typical few years but fine as long as the root doesn't change, and the actual server certificate typically will have a 1-3 year validity period.

Hi Herman,

 

Thanks for your response.

 

May I know how to renew it as this is the first time we are renewing the server certificate and I can't find any guide on the internet. 

 

Thanks again and appreciate your help.

 

Regards,

Mich

Best practice for an expiring RADIUS EAP Server certificate is to just request a new one and install that.

 

There are three constraints:

- Use the same SAN/CN as in your previous certificate. Note that having a SAN with the same name as the CN now is mandatory.

- Get the certificate signed by the same root CA. If you don't clients will have issues trusting it. If you can't use the same root CA, prepare for the reconfiguration of all your clients.

- Make sure the lifetime of your newly signed certificate is less than 825 days.

 

I think this summary from JISC/Eduroam in the UK is a nice resource.

-

Hi Herman,

 

Do I need to generate a CSR again on clearpass? Sorry for stupid question not expert on certificate thingy. 

 

Thanks.

 

Mich

I would generate the CSR outside of ClearPass with OpenSSL, and import the full private+public key+certificate, so you have a backup of it.

 

I think you could even re-submit your existing CSR to the CA, but that would not change the private key.

 

If you are not sure, it may be best to work with someone to assist you like your Aruba Partner or Aruba Support.

Hi Herman,

 

Noted. But requesting new CSR will not be affect the Root CA once imported the newly signed cert?

 

Thanks.

 

Regards,

If you have on-boarded devices make sure new CSR have same CN name as old certificate, if it is different then device auth will fail.

 

If you are singing with same CA who singed old certificate then mostly Root certificate will be same.

Hello Herman

I have a problem with the CA certificate, I created a different certificate than the one that was installed and my clients with windows operating system do not recognize it, I have to add the Wi-Fi network manually. What can I do so that my clients reconnect without manually setting the Wi-Fi network in windows.

I currently have Clear Pass version 6.10




------------------------------
lalo rocha
------------------------------

Original Message:
Sent: Jul 28, 2020 04:22 AM
From: Herman Robers
Subject: ClearPass RADIUS certificate expiring

Best practice for an expiring RADIUS EAP Server certificate is to just request a new one and install that.

 

There are three constraints:

- Use the same SAN/CN as in your previous certificate. Note that having a SAN with the same name as the CN now is mandatory.

- Get the certificate signed by the same root CA. If you don't clients will have issues trusting it. If you can't use the same root CA, prepare for the reconfiguration of all your clients.

- Make sure the lifetime of your newly signed certificate is less than 825 days.

 

I think this summary from JISC/Eduroam in the UK is a nice resource.

-

That depends on the client configuration. Your clients should trust your RADIUS server's certificate, by having the root and certificate name configured.

If you changed the certificate, and either the RootCA, or the server name changed, it is expected that your clients will not be able to connect. Changing your RADIUS certificate is something you need to carefully plan and execute.

In this situation, as I don't know the previous situation, nor the current situation, I would recommend working with your Aruba partner, or Aruba Support to find out what went wrong and how to possibly recover with the fewest interruptions to your clients.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 06, 2021 10:07 PM
From: lalo rocha
Subject: ClearPass RADIUS certificate expiring

Hello Herman

I have a problem with the CA certificate, I created a different certificate than the one that was installed and my clients with windows operating system do not recognize it, I have to add the Wi-Fi network manually. What can I do so that my clients reconnect without manually setting the Wi-Fi network in windows.

I currently have Clear Pass version 6.10




------------------------------
lalo rocha

Original Message:
Sent: Jul 28, 2020 04:22 AM
From: Herman Robers
Subject: ClearPass RADIUS certificate expiring

Best practice for an expiring RADIUS EAP Server certificate is to just request a new one and install that.

 

There are three constraints:

- Use the same SAN/CN as in your previous certificate. Note that having a SAN with the same name as the CN now is mandatory.

- Get the certificate signed by the same root CA. If you don't clients will have issues trusting it. If you can't use the same root CA, prepare for the reconfiguration of all your clients.

- Make sure the lifetime of your newly signed certificate is less than 825 days.

 

I think this summary from JISC/Eduroam in the UK is a nice resource.

-