Security

Reply
Highlighted
MVP Guru

Re: ClearPass RADIUS certificate expiring

The one marked with the yellow circle is the actual server certificate, and if that is expiring you should renew the certificate or request a new one with the same name and with the same CA.

 

If one of the certificates in the chain expires, clients will no longer be able to connect. Root CAs in general have a long running time (10s of years) and are stored in your browser or operating systems. Intermediate CAs are more dynamic, typical few years but fine as long as the root doesn't change, and the actual server certificate typically will have a 1-3 year validity period.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
New Contributor

Re: ClearPass RADIUS certificate expiring

Hi Herman,

 

Thanks for your response.

 

May I know how to renew it as this is the first time we are renewing the server certificate and I can't find any guide on the internet. 

 

Thanks again and appreciate your help.

 

Regards,

Mich

Highlighted
MVP Guru

Re: ClearPass RADIUS certificate expiring

Best practice for an expiring RADIUS EAP Server certificate is to just request a new one and install that.

 

There are three constraints:

- Use the same SAN/CN as in your previous certificate. Note that having a SAN with the same name as the CN now is mandatory.

- Get the certificate signed by the same root CA. If you don't clients will have issues trusting it. If you can't use the same root CA, prepare for the reconfiguration of all your clients.

- Make sure the lifetime of your newly signed certificate is less than 825 days.

 

I think this summary from JISC/Eduroam in the UK is a nice resource.

-

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
New Contributor

Re: ClearPass RADIUS certificate expiring

Hi Herman,

 

Do I need to generate a CSR again on clearpass? Sorry for stupid question not expert on certificate thingy. 

 

Thanks.

 

Mich

Highlighted
MVP Guru

Re: ClearPass RADIUS certificate expiring

I would generate the CSR outside of ClearPass with OpenSSL, and import the full private+public key+certificate, so you have a backup of it.

 

I think you could even re-submit your existing CSR to the CA, but that would not change the private key.

 

If you are not sure, it may be best to work with someone to assist you like your Aruba Partner or Aruba Support.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
New Contributor

Re: ClearPass RADIUS certificate expiring

Hi Herman,

 

Noted. But requesting new CSR will not be affect the Root CA once imported the newly signed cert?

 

Thanks.

 

Regards,

Highlighted
MVP Expert

Re: ClearPass RADIUS certificate expiring

If you have on-boarded devices make sure new CSR have same CN name as old certificate, if it is different then device auth will fail.

 

If you are singing with same CA who singed old certificate then mostly Root certificate will be same.


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: