Security

On clearpass 6.6 when you generate the request you were able to download the private key  as on the button it says download csr and private key.   On 6.7 it just says download CSR

 

How do i get the private key?

this was really useful to me when generating some .pem files

 

Cheers

Carlos

After you install the signed cert, you can export it. There is no need to access the private key until the signed certificate is installed.

So there is no way to do that anymore?

 

And ineed it before because for example if i want a certificate for many controllers and use the same certificate what i did was signing a doing the request

it get signed

 

With that i opened a textpad

Put all the characters of the private key

then of teh signed cert

and then the characters of the ca bundle then i put it as a .pem file and i can use that same cert in many controllers. instead of doing them separately

 

So as you see i dont actually install that cert anywhere before creating the .pem flile

 

 

1) you should never be using the same certificate in ClearPass and network devices

2) you can't do any of that until you have a signed certificate which is why there is no need to present the private key prior to uploading signed certificate

For number 1 i know that, as i once tried and what happened is that when the user was seft registering it just didnt work hehe

 

for number 2 do i need to install the certificate inthe clearpass to download the private key then??

1) then something is misconfigured
2) yes

Hi Tim,

 

We've got a 6.6.10 Policy manager running. generated a signing request.. Didnt get the download private key option. but after signing I can't import only the signed certificate because I need the private key it is saying? you've got any idea?

 

Thnx. 

 

Joël Stouwdam

Same issue here, running 6.7 and I'm trying to import the signed request but it keeps complaining about needing the private key as well. 

It’s asking for the key to import on 6.7. I have issued a csr twice using an easy to remember pass phrase and it is not using a “saved” key but instead asking for the file. 

 

Thanks in advance!

 

Do you see this?

I do and I have tried a number of times before my comment for help, but it keeps throwing the error as if I didn't create the CSR from the server. I have tried both servers multiple times, recopied over the keys....etc. Maybe its just a bit glitchy in 6.7. 

 

-Carl

Have you ever done this successfully on any other version of ClearPass?

I have in previous versions, 6.5, 6.6. It just seems to not want to work on this newer version for me. I’ve seeing other post with people having the same issues but no solution post.

Thanks

I would try to compare the md5 of the certificate and the CSR using openSSL:  https://tecadmin.net/check-certificate-private-key-csr-matcher/

 

 

Thanks, doing that now. I suspecting that may be the case. 

 

-Carl

Don'T know if this fits in here but we do face  also issues with the private key as one of our cluster mebers states Private Key File is not available in the system

(see attached screenshot)

 

on the second cluster member ist works just normal. Both CSRs have been created the same way.

 

Please open a TAC case so that this can be pursued:

http://www.arubanetworks.com/support-services/support-program/contact-support

Thanks! I have a call with them today at 11am. 

 

Carl

Did you generate both the CSRs in the same server?

ClearPass server only keeps a single private key associated to the latest CSR.  For e.g. Creating a second CSR will override the private key of the first CSR in the system.

Thanks for the tip, I actually only generated one as I had planned on using the same cert on both servers for now. I understand that will cause a mismatch due to common name but that is all the client wanted for now. 

 

Thanks for the tip though! I wasn't aware it would only save one.

Just ran into an issue with the customer where we created the CSR like 2 weeks ago and are now just trying to install the certificate using the private key stored in the system.  Clearpass says that 'Private Key File is not available in the system' when we try import.  Because we are using CPPM 6.7.x, there was no downloadable Private Key file.  How do we proceed here?  Customer remembers the Private Key they used when we generated the CSR but that is obviously not helpful.

 

Thanks in advance.

Generatet a new CSR and get the certificate rekeyed.

I created a CSR on my Publisher Clearpass to use on both the Publisher and Subscriber (Standby Publisher).  However, I uploaded the certificate and use saved private key first to the Standby Publisher.  Everything went well.  However, when I tried to upload the certificate and use saved private key to the Publisher I get the error, "Private Key File not available in the system." 

How would I get the cert uploaded to the Publisher? 

After you upload the signed cert, the key is no longer available to the import process. Export the certificate from the nods and reimport to the publisher.

I can't seem to export the cert in 6.7

 

 

 

Bottom right.

Thanks Cappalli! (I feel like a knucklehead) There it is!

Worked like a charm!

hello,

we have a Godaddy certificate on out 6.7 Clearpass.

the certificate is up for renewal.

Can i just import renewed certificate OR do i have to generate a NEW CSR?

CHEERS

PETE

 

 

 

Hey Pete, 

I know this is an old thread but I just had to renew our "godaddy" clearpass certificate.

 

This is what I did:

 

1. Export installed (to expire) certs, this will give you a .p12 file.

2. Extract private key from .p12 file (you could do this with openssl> openssl pkcs12 -in PKCS12file -out keys_out.txt)

3. Create fullchain certfile (use the format explained in this post: https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Unable-to-import-Server-Certificate-on-CPPM/ta-p/186996)

4. Import new certificate using the "Upload certificate and private key files". Here you should specify the private key file extracted on step 2.

5. Done!

 

This worked for me for both radius and https certificates.