How To Replace ClearPass Default Self Sign SSL Certificate

Tutorial on how to replace ClearPass Default Self Sign SSL Certificate

Replace HTTPS Server Certificate

Generate a Let’s Encrypt SSL Certificate by following this link

  1. Download the cross-signed by IdenTrust’s “DST Root CA X3” (now called “TrustID X3 Root”) – trustidrootx3_chain.p7b

  2. Import fullchain.cer & trustidrootx3_chain.p7b to Administration > Certificate > Certificate Store > Trust List by clicking Add

Ensure that Usage = Aruba Infrastructure & Others is selected and click Add Certificate

Replace ClearPass Default Self Sign SSL Certificate

  1. Verify the following imported SSL Certificates are Enabled
  • Subject = CN=DST Root CA X3,O=Digital Signature Trust Co.
  • Subject = CN=R3,O=Let’s Encrypt,C=US

  1. Verify the existing Self Sign SSL Certificate used by HTTPS Server Certificate in Administration > Certificate > Certificate Store. Click Import Certificate to import Let’s Encrypt SSL Certificate

  1. Import the Cert.pfx with passphase

  1. Verify the Let’s Encrypt SSL Certificate is imported successfully to ClearPass

  1. Verify Let’s Encrypt SSL Certificate is in used the next time you login to ClearPass Portal

Import AD Root Certificate

Export the CA Root Certificate to C:\Temp\AventisLab-ROOT.cer from AD Domain Controller

C:\Temp>certutil -ca.cert AventisLab-ROOT.cer

Import the AventisLab-ROOT.cer for EAP & AD/LDAP Servers usage in Administration > Certificate > Trust List

Verify the AD Root Certificate is imported successfully

Change the Authentication Source for to use AD over SSL – Port 636

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top