For the HTTPS certificate, it is recommended to have that issued by a public trusted CA, and it is required in case you use guest/captive portal.
The database certificate should be self-signed (recommended) or issued by a private CA, because as you mention public CAs don't issue certificates for RFC1918 IP addresses, and having the additional maintenance of changing the database certificate every year would result in more risk (expiration, operational burden) than it would solve, because these certificates are only used (and trusted) within the ClearPass cluster. You could even consider using self-signed certificates as the equivalent of a PSK in this use-case.
According to this document you can see the database certificate is validated, just through the cluster membership and not through a PKI.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 31, 2022 03:34 PM
From: Kelly Levine
Subject: Clearpass database certificate
We use DNS not IP because the cert is used for Captive portal also. I think a pre-shared-key would have been lot easier way to encrypt the communication between nodes.
------------------------------
Kelly L
Original Message:
Sent: Aug 31, 2022 03:18 PM
From: Unknown User
Subject: Clearpass database certificate
Only if you manage ClearPass from the IP. If you always use the DNS name, then no.
Original Message:
Sent: 8/31/2022 2:56:00 PM
From: kell490
Subject: RE: Clearpass database certificate
Does the HTTPS cert require the DNS:X.X.X.X IP address of each node also only the database? We can use our internal PKI for the database.
------------------------------
Kelly L
Original Message:
Sent: Aug 31, 2022 02:40 PM
From: Unknown User
Subject: Clearpass database certificate
Yes that is requirement to have the IP address in the SAN field or else validation will fail. Your options here are: used a self-signed certificate, find a public CA that will let you use RFC 1918 space, or use a certificate from an internal PKI you control. Since you are using a public certificate, yes you need to also be sure to update the certificate once per year.
Original Message:
Sent: 8/31/2022 2:34:00 PM
From: kell490
Subject: RE: Clearpass database certificate
It's a requirement we are not allowed to use a self-signed certificate. I read the document you linked below in the last reply it goes though the HTTPS certificate although doesn't discuss the database cert. I read in another document that the database cert requires the SAN to include DNS: X.X.X.X IP address of each node is that still required in version 6.9.12? Public CA's don't allow IP address's in the SAN usually we only have DNS names in there.
------------------------------
Kelly L
Original Message:
Sent: Aug 31, 2022 08:16 AM
From: Unknown User
Subject: Clearpass database certificate
Why did you replace the database certificate at all? ClearPass comes with a self-signed certificate that is valid for, IIRC, five years. Is this a compliance requirement for you to replace it? If not, I would just re-generate a self-signed database certificate and make the validity period the maximum allowed by your organization's security policies.
Original Message:
Sent: Aug 30, 2022 05:38 PM
From: Kelly Levine
Subject: Clearpass database certificate
I'm getting some errors its not able to verify the certificate trust when trying to add a subscriber I have a case open with TAC. Looking at the documentation I found the way around this is to use the CLI it ignores the trust errors, but my question is our certs have to be refreshed yearly is this going to be a issue in the future when refreshing? Do we have to re-join the subscribers each time we refresh the cert for the database?
------------------------------
Kelly L
------------------------------