Security

Reply
Highlighted
MVP Expert

Re: Clearpass Certificate Issue

On newer code private key will be stored on system itself

We see this message on popup window of CSR which prompts to download CSR.

 

Create Certificate Signing Request
Private Key is stored in the system. You can now upload certificate alone without using Private Key

 

Certificate which you get it singed might got corrupt, try generate new CSR and get it singed and try upload again.


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
MVP Guru

Re: Clearpass Certificate Issue

Ok, I missed that that the private key is not downloaded in recent versions. Thanks for the update.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
Frequent Contributor I

Re: Clearpass Certificate Issue

Thanks Pavan - I've tried doing that.

 

Perhaps I'm not selecting the right certificate type from my provider?

 

These are the choices I'm presented for downloading.

 

certs.PNG

Highlighted
MVP Expert

Re: Clearpass Certificate Issue

Download certificate with chain.


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: Clearpass Certificate Issue

Ugh - same issue here.

 

Incommon certs have been signed as follows

 

Incommon intemediate cert

UserTrust intermediate cert

AddTrust root cert

 

The AddTrust root expired today. There's a new UserTrust that it is now the root. I've imported this and enabled it. But the existing cert is still using the old chain.

 

So trying to re upload the cert and/or chain using the existing private key. But I am also getting the "certificate file is not valid. Either the certificate signature is tampered or file is corrupted" Both PEM, and PKCS#7 (PEM encoded) result in this error.

 

I tried PKCS#7 (p7b) and I get "Private Key File is not available in the system.

 

Since there's no way to export the existing key , It seems the only way is to generate a new csr and get new one? Or can TAC import them via command line?

 

BTW, in my case, I"m using 6.7.12. Current certs were installed when the system was under 6.6. 

 

Adding that I created a new CSR, but there's no way to download the private key. Only option is to download the CSR.

 

 

°(((=((===°°°(((================================================
Highlighted
Frequent Contributor I

Re: Clearpass Certificate Issue

I'm not really following what you're trying to do but you can export your cert. You just need to scroll down and you'll see an export.

 

In general, I recommend importing your full chain pem and key. Or install just a PKCS12.

Highlighted
Contributor II

Re: Clearpass Certificate Issue

Only way was to replace the cert. Generated a new CSR, and it would only accept a PKCS#7 as the format.

 

 

°(((=((===°°°(((================================================
Highlighted
Contributor II

Re: Clearpass Certificate Issue

But now CPPM updates getting the following:

 

Unknow Error - [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)
Check details entered, Network Connectivity, http_proxy credentials.
Click on 'Check Status Now' after correcting the configuration.

 

 

°(((=((===°°°(((================================================
Highlighted
MVP Expert
MVP Expert

Re: Clearpass Certificate Issue

  • When creating a signing request (CSR) the privated key is stored in the ClearPass node. So you can't create a PKCS#12 without creating a CSR on a external server or export the current one from ClearPass when you have a valid certificate.
  • When creating a CSR, and sign it against your PKI CA server, be sure that the signed certificate is is installed on the ClearPass node where the CSR is created, only that node have the private key. 
  • Check your system time  and timezone settings are correct.
  • Check if the CA root and intermediates are in the ClearPass trust store, and be sure that they are ENABLED.

See attached a quick example with Windows Server CA.

Hope this helps.

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP | Ekahau ECSE Design - Was this post usefull, Kudos are welcome.
Highlighted
Aruba Employee

Re: Clearpass Certificate Issue

Hi,

 

Since the Root CA UserTrust Certificate expired on 30/5/2020, I would recommend you generate a new CSR, get the CSR signed by the CA, and then import it back to ClearPass. Usually, we recommend to generate the CSR outside of the managed device but you can do it on ClearPass as well. After you import the certificate to ClearPass, you will have the option to export it with private key. This is recommended so you keep a backup for the used certificates.

 

The certificate was originally signed by UserTrust so what you are seeing in terms of CA chain is correct. It will not suddenly change to be signed by the new CA. You need to generate a new certificate.

 

Finally, you will not have the option to download private key until you import the signed the certificate to ClearPass. The process is as follows. You generate a CSR on ClearPass. It really generates a CSR and a private key. The CSR and private keys are linked. Previously, you were able to download them both without installing the certificate. With newer ClearPass versions, you will only be able to download the CSR. Once you sign the CSR and get the certificate, you import it to ClearPass. ClearPass will check if the certificate and private key (which it has generated before) match..

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: