Security

All wrapped up in the move from 6.10 to 6.11 I've been warned about changing the IP of the new servers (VM) because of the SAN on the db cert. 

When I use the GUI to change the IP of Clearpass (only has the mgmt interface), and then export the db cert to check its details, I can see the SAN reflects the new address (previously it showed the old address). Is it that straightforward? No CLI command to issue? There are no other certs on CP for me to worry about, nothing CA signed, just the db that leaves me uncertain.

I'm doing this because I want to keep the old IPs on the newly built/updated/licensed VMs.

Thanks

Nathan.

Hi Nathan,

Yes, and I think it's something new with the 6.11 version. The DB certificate is now automatically updated when you change your IP address, considering you're keeping the self-signed certificate.

I've upgraded a 6.10 cluster this week with the same prerequisite as you (keeping the old IPs) and it was this simple. 

By the way, you don't have to export de certificate to check its details, you have a button under de certificate summary for this purpose.

All wrapped up in the move from 6.10 to 6.11 I've been warned about changing the IP of the new servers (VM) because of the SAN on the db cert. 

When I use the GUI to change the IP of Clearpass (only has the mgmt interface), and then export the db cert to check its details, I can see the SAN reflects the new address (previously it showed the old address). Is it that straightforward? No CLI command to issue? There are no other certs on CP for me to worry about, nothing CA signed, just the db that leaves me uncertain.

I'm doing this because I want to keep the old IPs on the newly built/updated/licensed VMs.

Thanks

Nathan.

For reference : https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.x.x/Content/ReleaseNotes/Behaviors/Behaviors-6.11.0.htm

Hi Nathan,

Yes, and I think it's something new with the 6.11 version. The DB certificate is now automatically updated when you change your IP address, considering you're keeping the self-signed certificate.

I've upgraded a 6.10 cluster this week with the same prerequisite as you (keeping the old IPs) and it was this simple. 

By the way, you don't have to export de certificate to check its details, you have a button under de certificate summary for this purpose.

All wrapped up in the move from 6.10 to 6.11 I've been warned about changing the IP of the new servers (VM) because of the SAN on the db cert. 

When I use the GUI to change the IP of Clearpass (only has the mgmt interface), and then export the db cert to check its details, I can see the SAN reflects the new address (previously it showed the old address). Is it that straightforward? No CLI command to issue? There are no other certs on CP for me to worry about, nothing CA signed, just the db that leaves me uncertain.

I'm doing this because I want to keep the old IPs on the newly built/updated/licensed VMs.

Thanks

Nathan.