Security

Reply
Highlighted
Frequent Contributor I

Clearpass Certificate Issue

My clearpass server and radius certs expire in 2 weeks.

 

I am in the process of trying to get new ones an am running into issues.

 

I generated the CSR from Clearpass and used that with my certificate authority to generate a certificate.

 

When I try to install the certificate in Clearpass I get the following error - "Certificate file is not valid. Either the certificate signature is tampered or file is corrupted."

 

I am running 6.7.9

 

Any help would be appreciated.

Highlighted
Guru Elite

Re: Clearpass Certificate Issue

Which CA do you have and exactly what procedure did you use?  What did you do the last time?

 

We are missing quite a bit of information to assist you.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Frequent Contributor I

Re: Clearpass Certificate Issue

Sorry - more information provided below.

 

CA is InCommon.

 

Procedure - filled out the CSR  from Clearpass.

I copied and pasted it exactly into InCommon.

It generated the certificate, which I downloaded and tried to import into Clearpass.

Upload method: Upload Certificate and use Saved Private Key.

 

Last time - I don't remember, it was 2 years ago. I know I got the cert from InCommon. What I do remember is this being a major pain in the butt last time too.

 

This was so much easier when I was using NPS.

 

Thanks.

Highlighted
Guru Elite

Re: Clearpass Certificate Issue

You should be using a private CA for 802.1x, because all of your domain clients should already trust that..  You should be using a public CA for the guest portal HTTPS certificate.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Frequent Contributor I

Re: Clearpass Certificate Issue

Are you saying the issue is InCommon?

 

The certificate I was actually trying to replace was the https one and I was getting the error. Last time I used the same certificate for both https and RADIUS.

 

Typically my domain clients (the Windows ones anyways) authenticate via machine auth which is fine.

 

95% of my non-Domain clients do not use guest as they are employees or students (or eduroam users). Should they be using a certificate from a private CA?

 

 

 

 

Highlighted
Frequent Contributor I

Re: Clearpass Certificate Issue

Your RADIUS cert can be private, but the HTTPS one needs to be publicly signed.

 

I would suggest importing a PKCS12 (.p12) file if you can. If not, make sure the CSR you upload has the full chain and you upload the full chain CSR on the server from which you generated the CSR otherwise the private key will not be there. If you have additional servers, export the p12 from that server with a passphrase and proceed to upload that to the other servers.

 

Also, make sure your certificate provider is trusted in the Trust List section.

Highlighted
Frequent Contributor I

Re: Clearpass Certificate Issue

If the Clearpass CSR requires the entering of a private key password, why does it not generate a private key file? I think that might be part of the issue.

Highlighted
Frequent Contributor I

Re: Clearpass Certificate Issue

I'm talking about an export. When you generate the CSR on CPPM, the private key will be on that box, and that box only.

Highlighted
MVP Guru

Re: Clearpass Certificate Issue

When you generate a CSR on the ClearPass UI, there will be a multi-file download: one for the CSR and one for the private key. Some browsers handle downloading multiple files on a single click differently. When generating the CSR and downloading it, make sure that you get 2 files. It can be that there is a warning in the browser URL bar which is clear or more hidden depending on the browser. If you can't get both files, try a different browser.

 

Check this video to see what I mean.

 

I'd think that if you missed the private key during the CSR export, it is no longer available and you will need to re-do the request process. You can use your own, or CA tools as well to generate a CSR and keypair for a standard HTTPS server certificate. There is no need to do that on the ClearPass server.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
Frequent Contributor I

Re: Clearpass Certificate Issue

Hi Herman,

 

Your videos are awesome. They are literally what I used to configure my Clearpass two years ago.

 

That being said - I am not getting the option to download both, as you can see from the picture.

 

I believe last time I did this using openssl, and I'll probably do that again.I just need to figure out how.

 

Thanks for responding.

 

CSR.PNG

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: