Security

Sifus,

 

My Onboard CA wil expire soon. should I just click 'Renew Root certificate' or I need to create new CA and ask all the user to reonboard the devices again?

Can you renew root certificate with existing key?

How to do that? By clicking the renew cert button?







Acelync Networks Sdn Bhd
Unit 1002, 10th Floor,
Block A, Damansara Intan,
No.1, Jalan SS 20/27,
47400, Petaling Jaya, Selangor
Tel : 03-7727 7000
Fax : 03-77270707
H/P : 012-5681162
Email: shaiful@acelync.com

Ok, I've tested this in my lab. I renewed my CPPM CA, by just hitting renew, and my existing client certs were still valid.

 

Might be worth double checking with TAC though...

 

Nice..that means no need to reonbord right..?

Regards,
Shaiful Adli Bin Yaakob

Network Engineer




Acelync Networks Sdn Bhd
Unit 1002, 10th Floor,
Block A, Damansara Intan,
No.1, Jalan SS 20/27,
47400, Petaling Jaya, Selangor
Tel : 03-7727 7000
Fax : 03-77270707
H/P : 012-5681162
Email: shaiful@acelync.com

So you can renew your Onboard Root CA; which will (very likely, I'm not 100% sure) require your clients to onboard again before the original CA expires. This is because the current client certificates are still signed by the existing (and expiring CA).

 

Did you already define your own CA? Or are you using the default CA which can be recognized by the name 'Local Certificate Authority'?

 

If you deployed the default CA, I would create a new CA with a long run time; I typically take 10, 15, 20 years or more to prevent your CA to expire again on a short term. Also you can put information about your company/organization in, so if people see the certificate they can recognize it's associated to you.

 

When you have done that (either renewed, or new CA), you can during authentication check if the client certificate has been issued by the old expiring CA and push those users in the onboarding role again so they will be guided through the process.

 

If you want to have a definitive answer, I would advise you to work with Aruba TAC.

---

@Herman Robers wrote:

So you can renew your Onboard Root CA; which will (very likely, I'm not 100% sure) require your clients to onboard again..

 ...............

If you want to have a definitive answer, I would advise you to work with Aruba TAC.

---

No, Herman is saying you will likely have to re-onboard.

 

that means...

 

i can renew the CA by clicking 'renew' but...the existing clients would still have to reonboard due the old cert existing in the endpoint.

 

the advantage by doing this way is we can tell the user to slowly reonboard untill the existing CA cert expire right.

 

the other way is to change CA, but this way will require the user to be reonboard immiediatly ..

 

am i correct?

 

 

No, at least in the situation where you have a second/new CA, you can still use the expiring CA as both will be trusted for client certs.

 

I once created a new CA with longer expiration and 4096 bit keys (which can be considered more secure), and configured new clients to get a certificate from the new CA. But both CA's were trusted, and clients could have certificates from either CA.

 

After some testing, I conclude that in fact it does not make a difference at all, as if you renew your existing CA, an additional entry of the Root CA will be created in the trust list:

It might be that the root has the same key-pair, but that does not matter either. 

 

As soon as the old CA will expire, all certificates signed by that CA are likely to become invalid; and by that time your clients need to be re-onboarded and have a client certificate that is signed by a still valid CA that is in the trust list. If we had created a new CA, it would be similar, just the naming is different.

 

My choice would be to create a new CA, and name it different as well to ease troubleshooting. If the signing CA has a different name, you can quickly see if clients have a cert from the old, or from the new CA. If you renew, you cannot easily see as the naming is the same.

 

You are likely to need onboard all clients before the existing CA expires, regardless the choice renew CA or create a new CA. As the current CA is likely to have a short running time, and I could not find a way to change the expiration period when renewing, I would go for a new CA and set the expiration of the root CA to 10, 15 or 20 years (and take the highest possible when in doubt).

 

For official advice, please contact Aruba TAC as they can look with you to your system and get a better view of your case.

Your choice seem to be wiser selection but in order to get both CA is trusted, the client has to be onboard first and old the existing clients can't be connected due to provisioning profile is pointing to the new CA. 
For the new clients should be no issue. I'm more worried about the existing onboarded clients 

Please realize that the Onboard CA is the CA that issues the client certificates. So, as long as you only issued client certificated from your Onboard CA, just ClearPass needs to trust the client certificates. There is no need that your clients trust the Onboard CA, as clients only validate the RADIUS server certificate. That RADIUS certificate is not issued by your Onboard CA (at least, it should not).

 

Client verifies RADIUS server certificate (hope that is not expiring).

Server (ClearPass) verifies the client certificate.

 

Because both current and new CA will be in the ClearPass Trust list, ClearPass will trust client certificates issued by either CA. So you current Onboarded clients will work, and new onboarded clients will work in the same time.

 

The only issue should be if your RADIUS certificate is also expiring at (about) the same time; or it is issued by your Onboard CA that will expire (again, not recommended to get your RADIUS cert from the Onboard CA, but it is possible and I know few people take the shortcut of mis-using the Onboard CA for generating the RADIUS certificate. Again, this should not be the case. What CA issued your RADIUS certificate?

 

If you work with TAC, they can go with you over your ClearPass and certificate deployment and see if any of the pitfalls are present in your environment.

'Because both current and new CA will be in the ClearPass Trust list, ClearPass will trust client certificates issued by either CA. So you current Onboarded clients will work, and new onboarded clients will work in the same time'

 

I understood this but what will happen after I point the provisioning profile to the new CA (refer to attached). should my existing client will able to onboad after i change it to the new CA. 

 

for my case , the radius server cert expires at exactly the same time.

 

my idea is to renew the cert to avoid any distruption to existing clients.