Occasional Contributor II

Clearpass LDAPS to self signed AD

I'm having trouble authenticating against an AD server that has a self signed CA.  I was able to import the cert, but I still fail.   I see an "unknown CA" error during the TLS negotiation between the Clearpass and AD server.


Is this a non-starter with Clearpass?   And...before everyone flags the security (or lack thereof) of using a self signed cert....we're testing prior to going in production with a true cert.

MVP Guru

Re: Clearpass LDAPS to self signed AD

You have to export the cert and install it on your laptop since the laptop doesn't have the root ca
Thank you

Victor Fabian
Lead Mobility Architect @WEI

Re: Clearpass LDAPS to self signed AD

You also need the ad root cert in clearpass's trust list
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
Guru Elite

Re: Clearpass LDAPS to self signed AD

This is solely between ClearPass and AD. You don't need to do anything to clients.


Since it is a self-signed certificate, upload the AD certificate here:




If its signed by an internal MS ADCS certificate authority, upload the private root CA.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Clearpass LDAPS to self signed AD

Thanks Tim.

I have limited access to the server, so I uploaded the cert they said the LDAP server is using in the trust's enabled and trusted.

I still throw an unknown CA error in a wireshark trace, so that means I was given the wrong cert...or I have a mismatch between cert and dns name.


Search Airheads
Showing results for 
Search instead for 
Did you mean: