Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

New PKI server certificate migration

This thread has been viewed 8 times

  • 1.  New PKI server certificate migration

    Posted May 13, 2019 06:32 AM
    Hi,

    I am using internal CA server certificate on ClearPass for radius authentication and everything is working fine. Now our PKI infrastructure is going to change so can we use old pki and new pki radius server certificate on same ClearPass server as I want to ensure that client pc should authenticate wether they have old or new pki client certificate. 6.7 have one option for service specific certificate but how do I add the service categrisation rule based on certificate (old or new pki certificate pc ) as they are using same nad and same auth source.


  • 2.  RE: New PKI server certificate migration

    Posted May 13, 2019 06:57 AM

    The client certificate and server-side certificate have nothing to do with each other.
    As I understand correctly your clients and ClearPass are going to use a new certificate because of a new PKI.

    You can't filter a service based on the client certificate.
    The migration is simple.

    At ClearPass:

    * At the new root/Intermediate CA to the trust list
    * If you filter in the service on the CA make sure you will add the new PKI
    * At this point the clients should be able to authenticate

    At the clients:

    * Make sure you trust the new ClearPass RADIUS certificate in the wired/wireless dot1x configuration

    After this moment, the clients trust the new ClearPass certificate you can replace the ClearPass RADIUS certificate. Make sure you have a backup of the public/private key so you can roll back the replacement.



  • 3.  RE: New PKI server certificate migration

    Posted May 13, 2019 08:22 AM
    Hi Willem,

    Thanks for your response but I have different requirement.
    I want to use both the pki at the same time as we don't have bandwidth to replace all client site certificate immediate.

    Can we use two radius server certificate with different pki at the same time??


  • 4.  RE: New PKI server certificate migration

    Posted May 13, 2019 08:26 AM
    No and that is not needed. Just trust the new ClearPass certificate at the client and just can replace the ClearPass certificate without any issue.
    The same for ClearPass. At the new root/Intermediate CA to ClearPass and ClearPass can support both client certificates.


  • 5.  RE: New PKI server certificate migration

    EMPLOYEE
    Posted May 14, 2019 07:19 PM

    You could use following functionality in 6.7.x or later versions:

     

    https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/service_certificate_assign_to_service.htm



  • 6.  RE: New PKI server certificate migration

    Posted May 15, 2019 03:12 AM
    @PDudakia wrote:

    You could use following functionality in 6.7.x or later versions:

     

    https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/service_certificate_assign_to_service.htm

    Not possible and not needed for this case.



  • 7.  RE: New PKI server certificate migration

    EMPLOYEE
    Posted May 15, 2019 12:19 PM

    Adding service certificate is possible and maybe required if clients are hardcoded to trust only specific root CA in Radius server certificate.



  • 8.  RE: New PKI server certificate migration

    EMPLOYEE
    Posted May 15, 2019 12:23 PM
    A service-level EAP server certificate will not really help here.