Certificate Store

Server Certificates are small data files that digitally bind a cryptographic key to the details of an entity in order to ensure its authenticity, as well as the security and integrity of any connections with the entity's server. Policy Manager supports multiple EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  server certificates. You can tie different server certificates to different Policy Manager RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. -based services (for example, Service A can use EAP server certificate A, while Service B can use EAP server certificate B). The Certificate Store allows you to view the Server Certificates, create, modify, delete, and view Certificate Signing Requests (CSRs), as well as import and export CSRs. A root certificate is a public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient. certificate that identifies a root certificate authority (CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.). A root certificate is the top-most certificate of the certificate tree structure.

The Server Certificates page displays the parameters configured when a self-signed certificate has been created and installed on a Policy Manager server. The RADIUS/EAP Server Certificate is selected by default.

The ClearPass Certificate Store provides five types of server certificates.

RADIUS/EAP Server Certificates

HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. (ECC Elliptical Curve Cryptography or Error correcting Code memory. Elliptical Curve Cryptography is a public-key encryption technique that is based on elliptic curve theory used for creating faster, smaller, and more efficient cryptographic keys. Error Correcting Code memory is a type of computer data storage that can detect and correct the most common kinds of internal data corruption. ECC memory is used in most computers where data corruption cannot be tolerated under any circumstances, such as for scientific or financial computing.) Server Certificates (HTTPS using Elliptic Curve Cryptography)

HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands.(RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet.) Server Certificates (HTTPS using RSA Cryptography)

RadSec Server Certificates

Database Server Certificates

The availability of these certificate types (internally signed and publicly signed) provides deployment flexibility.

 

Server Certificate expiration notices begin appearing in the Policy Manager user interface 30 days prior to the expiration date.

HTTPS(ECC) and HTTPS(RSA) certificates can be enabled or disabled by clicking the Enable or Disable buttons in the lower right corner of the Certificates Store window. A disabled certificate cannot be used, and you cannot disable both HTTPS(ECC) and HTTPS(RSA) simultaneously. If both HTTPS(ECC) and HTTPS(RSA) Certificates are enabled, any client that supports ECC ciphers will get HTTPS(ECC) certificates when contacting ClearPass. If you enable ECC certificates, the client trust lists should be updated accordingly.

Figure 1  Disabling an enabled Certificate

Viewing the Server Certificates

To view the Server Certificates available for the current Policy Manager server:

1. Navigate to Administration > Certificates > Certificate Store.

The Certificate Store page opens to the Server Certificate tab:

Figure 2  Certificate Store > Server Certificates Page

RADIUS/EAP Server Certificate

The following table provides a summary of the RADIUS/EAP Server Certificate parameters:

Table 1: Summary of RADIUS/EAP Server Certificate Parameters

Parameter

Action/Description

Select Server

Select a Policy Manager server in the cluster for server certificate operations.

NOTE: From the publisher, you can select the publisher or any of the subscriber nodes.

Select Usage

Select RADIUS/EAP Server Certificate.

Subject

Displays the Organization and Common Name.

Issued by

Displays the Organization and Common Name that issued this certificate.

Issue Date

Displays the date the self-signed certificate is installed.

Expiry Date

Displays the date (in days) when the self-signed certificate expires.

Public Key Algorithm Public key algorithm type used by this certificate
Certificate enabled Indicates if the certificate is or is not enabled.

Validity Status

Displays the validity status of the self-signed certificate: Valid or Invalid.

Viewing Server Certificate Details

Click the View Details button to view details about the certificate, such as signature algorithm, subject public key Info, etc.

To view the Server Certificate details:

1. Navigate to Administration > Certificates > Certificates > Certificate Store.

The Server Certificate summary information is displayed.

2. Click View Details.

The Certificate Details window opens.

Figure 3  Server Certificate Details

3. When finished viewing the information, click Close.

HTTPS(ECC) Server Certificate

The HTTPS(ECC) Server Certificate page displays the parameters configured after a self-signed certificate with an HTTPS(ECC) Server Certificate using has been created and installed.

1. Navigate to the Administration > Certificates > Certificate Store > Server Certificates tab.

2. From the Select Usage drop-down, choose HTTPS(ECC) Server Certificate.

The HTTPS(ECC) Server Certificate page opens.

Figure 4  HTTPS(ECC) Server Certificate Page

The following table describes the HTTPS(ECC) Server Certificate parameters:

Table 2: HTTPS(ECC) Server Certificate Parameters

Parameter

Action/Description

Subject

Displays the Organization and Common Name.

Issued by

Displays the Organization and Common Name that issued the server certificate.

Issue Date

Displays the date the self-signed certificate is installed.

Expiry Date

Displays the date when the self-signed certificate expires.

Validity Status

Displays the validity status of the self-signed certificate.

Public Key Algorithm Algorithm type used by the certificate.
Certificate Enabled Indicates whether or not the certificate is enabled in the certificate store.

Details

To view details about the certificate, such as Signature Algorithm and Subject Public Key Info, click the View Details button.

HTTPS(RSA) Server Certificate

The HTTPS(RSA) Server Certificate page displays the parameters configured after a self-signed certificate with an HTTPS(RSA) Server Certificate using has been created and installed.

1. Navigate to the Administration > Certificates > Certificate Store > Server Certificates tab.

2. From the Select Usage drop-down, choose HTTPS(RSA) Server Certificate.

The HTTPS(RSA) Server Certificate page opens.

Figure 5  HTTPS(RSA) Server Certificate Page

The following table describes the HTTPS(RSA) Server Certificate parameters:

Table 3: HTTPS(RSA) Server Certificate Parameters

Parameter

Action/Description

Subject

Displays the Organization and Common Name.

Issued by

Displays the Organization and Common Name that issued the server certificate.

Issue Date

Displays the date the self-signed certificate is installed.

Expiry Date

Displays the date when the self-signed certificate expires.

Validity Status

Displays the validity status of the self-signed certificate.

Public Key Algorithm Algorithm type used by the certificate.
Certificate Enabled Indicates whether or not the HTTPS(RSA) cerificate is enabled in the certificate store.

Details

To view details about the certificate, such as Signature Algorithm and Subject Public Key Info, click the View Details button.

RadSec Server Certificate

RADIUS-over-TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. (Transport Layer Security), or RadSec, employs a TLS tunnel to enable secure communication between the controller and a Policy Manager server. Employing RADIUS communication over TLS increases the level of security for authentication. When configured, the RadSec protocol is used to safely transmit authentication and accounting data across the network.

To access the RadSec Server Certificate:

1. Navigate to the Administration > Certificates > Certificate Store > Server Certificates tab.

2. From the Select Usage drop-down, choose RadSec Server Certificate.

The RadSec Server Certificate page opens.

Figure 6  RadSec Server Certificate Page

The following table describes the RadSec Server Certificate parameters:

Table 4: Summary of RadSec Server Certificate Parameters

Parameter

Action/Description

Select Server

Select a Policy Manager server in the cluster for server certificate operations.

Select Usage

Select RadSec Server Certificate.

Subject

Displays the Organization and Common Name.

Issued by

Displays the Organization and Common Name that issued this certificate.

Issue Date

Displays the date the self-signed certificate is installed.

Expiry Date

Displays the date (in days) when the self-signed certificate expires.

Public Key Algorithm Algorithm type used by the certificate.
Certificate Enabled Indicates whether or not the RadSec server cerificate is enabled in the certificate store.

Validity Status

Displays the validity status of the self-signed certificate: Valid or Invalid.

Database Server Certificate

To access the Database Server Certificate:

1. Navigate to the Administration > Certificates Certificate Store > Server Certificates tab.

2. From the Select Usage drop-down, choose Database Server Certificate. The Database Server Certificate page opens.

Figure 7  Database Server Certificate Page

The following table describes the Database Server Certificate parameters:

Table 5: Summary of Database Server Certificate Parameters

Parameter

Action/Description

Select Server

Select a Policy Manager server in the cluster for server certificate operations.

Select Usage

Select Database Server Certificate.

Subject

Displays the Organization and Common Name.

Issued by

Displays the Organization and Common Name that issued this certificate.

Issue Date

Displays the date the self-signed certificate is installed.

Expiry Date

Displays the date (in days) when the self-signed certificate expires.

Public Key Algorithm Algorithm type used by the certificate.
Certificate Enabled Indicates whether or not the database server cerificate is enabled in the certificate store.

Validity Status

Displays the validity status of the self-signed certificate: Valid or Invalid.

 

Network administrators must restart the Policy Manager server after changing the Database certificate to insure that all client database connections are reestablished when the database comes back up.