Creating and Installing a Self-Signed Server Certificate

After you select a server and a certificate type, you can create and install a self-signed server certificate.

 

When Common Criteria mode is enabled, the Create-Self Signed Certificate option for both HTTPS and RADIUS certificates is not available from the Certificate Store page (for more information, see Common Criteria Mode Parameter).

To create and install a self-signed server certificate:

1. Navigate to Administration > Certificates > Certificate Store.
2. From the Server Certificates tab > Select Server drop-down, select a ClearPass server.
3. Click the Create Self-Signed Certificate link.

The Create Self-Signed Certificate dialog opens.

4. From the Certificate Type drop-down menu, select Server Certificate.

Figure 1  Selecting the Server Certificate Type

The Create Self-Signed Certificate configuration dialog for a Server Certificate opens.

Figure 2  Creating a Self-Signed Server Certificate

5. Specify the Create Self-Signed Certificate parameters as described in Table 1.
Table 1: Specifying Self-Signed Server Certificate Parameters

Parameter

Action/Description

Certificate Type

Select Server Certificate.

Server

Displays the name of the selected ClearPass server on the Certificate Store page.

Usage

Displays the selected server certificate usage for the server. The options are:

RADIUS/EAP Server Certificate

HTTPS Server Certificate

RadSec Server Certificate

Database Server Certificate

Common Name (CN)

Enter the name associated with this entity. This can be a host name, IP address, or other meaningful name. This field is mandatory.

NOTE: When configuring a Database Server Certificate, either the Common Name or the Subject Alternate Name (SAN) DNS name must be set to the IP address (also, both fields can be set to the IP address if desired).

Organization (O)

Enter the name of the organization. This field is optional.

Organizational Unit (OU)

Enter the name of the department, division, section, or other meaningful organizational unit. This field is optional.

Location (L)

State (ST)

Country (C)

Enter the name of the location, state, country, and/or other meaningful location information. These fields are optional.

Subject Alternate Name (SAN)

Enter the alternative name for the specified Common Name. This field is optional. Enter the Subject Alternate Name in one of the following formats:

email: email_address

URI: URI

IP: IP_address

dns: DNS_name or IP_address

rid: ID

NOTE: When configuring a Database Server Certificate, either the Common Name or the Subject Alternate Name (SAN) DNS name must be set to the IP address (also, both fields can be set to the IP address if desired).

Private Key Password

Enter the Private Key password, then verify the password.

Private Key Type

Select the length for the generated private key types from the following options:

1024-bit RSA

2048-bit RSA

4096-bit RSA

X9.62/SECG curve over a 256 bit prime field

NIST/SECG curve over a 384 bit prime field

The default private key type is 2048-bit RSA.

Digest Algorithm

Select the message digest algorithm from the following options:

MD5

SHA-1

SHA-224

SHA-256

SHA-384

SHA-512. This is the default

NOTE: The MD5 algorithm is not available in FIPS mode.

Valid for

Enter the certificate duration in number of days. The default is 180 days.

6. Click Submit.

The completed Create Self-Signed Certificate page opens and is ready to be installed (as shown in Figure 3 below).

This page displays a summary of the values specified in the Create Self-Signed Certificate page and provides the Install button to install the self-signed certificate.

Figure 3  Create Self-Signed Certificate Ready to Be Installed

7. Click Install.

 

Installing a Database Server Certificate requires a server reboot after waiting for a few minutes for the changes to take effect.

After you click Install, you return to the Certificate Store page and Policy Manager generates a message about the status of the certificate installation.

If the installation is successful the page displays the following message:

Server Certificate updated successfully.

Figure 4  Server Certificate Successfully Updated

8. Because all services are restarted after a successful certificate installation, you must log out (by clicking the Menu > Logout link), then log in to the ClearPass client to continue.