Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Generate a new SSL certificate in a CLUSTER

This thread has been viewed 9 times

  • 1.  Generate a new SSL certificate in a CLUSTER

    Posted Sep 18, 2019 11:27 AM

    Hi experts, I have a question

     

    If I have a cluster with two ClearPass servers, a Publisher and a Subscriber with their respective RADIUS and SSL certificates, but I want to add a third ClearPass server as a Subscriber, how would you do to install your digital SSL certificate to this new ClearPass server within the cluster?

     

    Regards,

    Carlos Villanueva



  • 2.  RE: Generate a new SSL certificate in a CLUSTER

    EMPLOYEE
    Posted Sep 18, 2019 11:36 AM

    Assuming the existing cert's subject covers the new server/name for HTTPS, just export it and then reimport it scoped at the new node.



  • 3.  RE: Generate a new SSL certificate in a CLUSTER

    Posted Sep 18, 2019 11:43 AM

    Hi Tim, thanks for your reply

     

    That's the problem, the certificate was created only with the names of only the two ClearPass servers, without thinking that another would be added later.

    The SSL certificate was created like this:

     

    CPPM1 FQDN:uk.nac01.abc.com (Publisher)

    CPPM2 FQDN:uk.nac02.abc.com (Subscriber)

     

    Common Name (CN): clearpass.abc.com

    Subject Alternate Name (SAN): DNS:clearpass.abc.com,DNS:uk.nac01.abc.com,DNS:uk.nac02.abc.com

     

    I want to add another CPPM Server to the cluster:

     

    CPPM3 FQDN:uk.nac03.abc.com (Subscriber) (new ClearPass Server)

     

    Regards,

    Carlos Villanueva



  • 4.  RE: Generate a new SSL certificate in a CLUSTER

    EMPLOYEE
    Posted Sep 18, 2019 01:12 PM

    You'd need to acquire a new cert with the additional name.



  • 5.  RE: Generate a new SSL certificate in a CLUSTER

    Posted Sep 18, 2019 01:33 PM

    Thanks for your reply

     

    But when generating a new "Certificate Signing Request" within the cluster, would this not affect the certificate that I have already created?

     

    If it does not affect the existing SSL digital certificate, should it be generated as follows?

     

    CPPM1 FQDN:uk.nac01.abc.com (Publisher)

    CPPM2 FQDN:uk.nac02.abc.com (Subscriber)

    CPPM3 FQDN:uk.nac03.abc.com (Subscriber) (new ClearPass Server)

     

    Common Name (CN): clearpass.abc.com

    Subject Alternate Name (SAN):  DNS:clearpass.abc.com,DNS:uk.nac01.abc.com,DNS:uk.nac02.abc.com,DNS:uk.nac03.abc.com

     

    Or

     

    Common Name (CN): clearpass.abc.com

    Subject Alternate Name (SAN): DNS:uk.nac03.abc.com

     

    Regards,

    Carlos Villanueva

     



  • 6.  RE: Generate a new SSL certificate in a CLUSTER
    Best Answer

    EMPLOYEE
    Posted Sep 18, 2019 04:53 PM

    A CSR does not impact the existing installed server certs.

     

    If the goal is to replace the cert across the clusuter, then yes your CSR should contain the FQDN of all nodes.



  • 7.  RE: Generate a new SSL certificate in a CLUSTER

    Posted Sep 18, 2019 04:59 PM

    No, the goal is only to install the certificate for the new ClearPass server, then I will proceed to generate the CSR only with the FQDN of the new ClearPass server. Thank you very much for the help, Tim.

     

    Regards,

    Carlos Villanueva