Security

Hi,

 

I have a *.domain.com certificate for HTTPS that was generated without a passphrase to protect the private key.  ClearPass would not import it.

 

Going through openssl to aes256 encrypt the private key with a passphrase worked in the command line, but ClearPass complained, something about the header being invalid.

 

Is there any special signing requirements for being able to import the private key?

Did you try importing a plain text key?

Yes I've tried: when trying to import the plain-text private key without putting in the passphrase, ClearPass cert import section said "Private Key Password must be specified"

 

A tangential question which may help is: what is the internal SSL/Signing component that ClearPass uses?  Is it OpenSSL?  Maybe there are compatibility issues I could hunt down.

Yes, you need to specify a strong password during import. This will be used to protect the key if exported from the system.

Yes, I agree about the need for a private key being protected.  However, this private key - as supplied - is not.

 

Importing the plain-text private key didn't work.  So I tried applying a passphrase.

 

ClearPass didn't like the private key after I had it signed with the passphrase.

 

So if there isn't a way around not using a passphrase, is there any guidance on the formatting or header requirements of the private key?

Don't apply a passphrase externally. Upload the clear text key and then enter a passphrase in the box.

When you do that, it says the "Private Key could not be loaded (password may not be correct)"

 

I think I'll have to try and passphrase encrypt it again from CLI via openSSL.  I just wish I knew what ClearPass was looking for in the Private key.

ClearPass will accept a traditional PKCS#8 key or a PKCS#5 v2.0 encrypted private key (des3)

Thanks, that helps. I'll see if I can sort it out.