Security

Hi,

 

I've read Certificates 101 which helps a lot with how to format the CSR... SAN Fields etc.

 

However, we have multiple CPPM servers and i would like to use 1 certificate (signed by an external CA), for both Radius and HTTPS on all servers. 

 

Can you generate the CSR on any of the CPPM servers and assuming the SAN fields are correct it will work? We currently have generated a seperate CSR on each CPPM server, but to help ease administration 1 certificate for all servers seems like a good idea. 

 

I was worried that if i generated the CSR on CPPM-A for example, the signed cert would only work on that CPPM server. Does anyone know which CPPM server to generate the CSR on to use 1 certificate on multiple CPPM servers?

 

thanks

I would recommend to use two separate certs:
- 1x for RADIUS (you only need 1x common name)
- 1x for HTTPS (this cert can be multiple purpose : management access , guest captive portal , etc..and if that is a requirement you will need to add all the ClearPass nodes FQDNs as SAN or you could also use a wildcard cert)

You can generate the CSR from any server or you could also use OpenSSL.
Once you purchase certificate you need the the private key password which should allow you to import it into all of your servers.





Thank you

Victor Fabian

Pardon typos sent from Mobile

Hi Victor,

 

All of our deployment is internal so we will be using our internal PKI for the all certs.

 

I resolved this by creating the CSR from either Server. Getting the cert signed via PKI, then importing the certificate onto that server (Where the CSR was created), and then export the key as a .p12 file - which then allowed me to install it on my other clusters.

 

Regards,

Blake