Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

SSL Certificates

This thread has been viewed 7 times

  • 1.  SSL Certificates

    Posted Jan 17, 2012 11:32 PM

    Hi All,

     

    Have a quick question regarding certificate use in Amigopod.

     

    I am about to apply to an external CA (Entrust) for a signed certificate. Can the same SSL certificate that is used for the web interface be used for the Radius server ID as well?

     

    Scott



  • 2.  RE: SSL Certificates
    Best Answer

    Posted Jan 18, 2012 01:58 AM

    Both the Web Server and RADIUS components of Amigopod can leverage the same server certificate from what I understand. The CSR generated by either component of Amigopod will include an x509 Extended Key Usage as shown in the example below:

     

    Requested Extensions:
    X509v3 Extended Key Usage:
    TLS Web Server Authentication

     

    The TLS Web Server Authentication is common across both the web server and RADIUS server so this should allow the same certiicate to be used for both functions.

     

    You will need to be a bit careful in the process you use to create the CSR as this will determine where the private key is stored and the availability for it to be exported and hence imported back into the opposing component of Amigopod.

     

    I would suggest working with the TAC on the procedure to make sure you don't have any problems whilst getting the CSR signed by Entrust.

     




  • 3.  RE: SSL Certificates

    Posted Jan 30, 2012 11:27 PM

    Thanks Cam,

     

    I spoke with the TAC and was able to deploy the same certificate to both functions by generaitng requests using openssl and this removing the private key from the control of amigopod. a little bit more work but its certainly worth the hassle.

     

    Below is the process outlined by the TAC for anybody trying the same thing.

     

    >>1) Generate a CSR + Private Key

    >>Amigopod can not be used for this step because there a no options to

    >>export the private key during any CSR creation page.  I used openssl

    >>from MAC command line to generate the CSR and key.  Openssl will ask

    >>the usual CSR options (Country, State, Common Name, etc) and will ask

    >>for a private key passphrase.

    >> 

    >># openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout

    >>privateKey.key

    >> 

    >>2) Get the CSR signed by your choice of CA.  For my testing, I signed

    >>it by Amigopod's own certificate authority, MDPS.

    >> 

    >>3) Install the certificate for Amigopod Web SSL.  Administrator ->

    >>Network Setup -> SSL Certificate.  Upload the signed certificate, any

    >>intermediate certificates given by CA (concatenated into one file),

    >>the root certificate, and the private key.  Enter the private key

    >>passphrase defined in step 1.

    >> 

    >>4) Install the certificate for Amigopod EAP termination.  RADIUS ->

    >>Authentication -> EAP & 802.1X -> Import Server Certificate.  Upload

    >>the signed certificate, private key, and root certificate as done in step 3.

    >>The only difference is that you will need to concatenate the

    >>intermediate

    >>certificate(s) and root certificate into one .pem file.