Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Onboard cert that includes the root CA

This thread has been viewed 0 times

  • 1.  Onboard cert that includes the root CA

    Posted Feb 14, 2017 02:55 PM

    Hi Forum,

     

    I usually deploy onboarding with clearpass as the root CA for the users certs it issues. I want to know if there is a way that I can include companyX root CA in the client cert but have clearpass be the issuer still?! 

     

    is that possible?



  • 2.  RE: Onboard cert that includes the root CA

    EMPLOYEE
    Posted Feb 14, 2017 03:03 PM

    ClearPass can issue certs on behalf of Active Directory Certificate Services either as an intermediate or registration authority.



  • 3.  RE: Onboard cert that includes the root CA

    Posted Feb 14, 2017 03:06 PM

    I guess I should've asked for "how to" I kinda know that it can "issue certs on behalf of Active Directory Certificate Services either as an intermediate or registration authority."

     

    I'm just not sure how!



  • 4.  RE: Onboard cert that includes the root CA

    Posted Feb 14, 2017 11:32 PM

    I also tried looking at the tech notes but all I can find is either clearpass is the issuing and signing CA or clearpass requests a cert from AD on behalf of the users. Can't find something for having clearpass issuing the cert to clients but that certs also includes the root CA for comapnyX!!

    I always feel that I'm this one guy that comes up with requests that don't make sense or no need for them LOL



  • 5.  RE: Onboard cert that includes the root CA
    Best Answer

    EMPLOYEE
    Posted Feb 15, 2017 05:56 AM

    I would ask the requested what functionality he wants to achieve, as the request as defined in your question leaves quite some room for interpretation. You don't include a corporate Root-CA in a client certificate.

     

    What are some of the possible questions: 

    - Can we issue certificates with Onboard that are trusted by our company Root-CA; the answer to that is yes, and follow the suggestions by Tim: ADCS or sign the Onboard CA as an intermediate. Where I tend to add to such a request that you should be exactly knowing what you are doing as this renders your Onboard in a certificate issuing entity that generates certificates that are company-wide trusted, which in turn may result in providing to much trust/access to those certificates. So, yes it can be done, and no, you probably don't want it unless you have other reasons that some manager asked you to do it. 

    - Can we enroll the corporate Root CA to client devices in the Onboarding process? The answer to that is also yes. You can in the Onboard Trust settings select 'manually configure trust settings' which allows you to select one or multiple root CAs that are installed on the client devices. For BYOD, be aware that pushing additional root CAs will allow the company to deploy technologies like SSL interception, which may require explicit consent from the end-user (depending on your local laws).

     

    If you can ask, and share the question behind the question (what is the expected functionality), that might help in getting the right answer to the right question.