Setting Up An Intermediate Certificate Authority - Aruba Networks PowerConnect W Clearpass 100 Software Deployment Manual

In the Private Key section:
Mark the Generate a new private key check box to create a new private key for the root certificate.

This is only necessary if you are recreating the entire certificate authority from the beginning.
Note: If you have previously created any client or server certificates or performed device provisioning
using the existing root certificate, these certificates will be invalidated when changing the root
certificate's private key.
The Key Type drop-down list specifies the type of private key that should be created for the certificate.

You can select one of these options:
1024-bit RSA – not recommended for a root certificate

2048-bit RSA – recommended for general use

4096-bit RSA – higher security

In the Self-Signed Certificate section:
Use the CA Expiration field to specify the lifetime of the root certificate in days. The default value of

3653 days is a 10-year lifetime.
The Clock Skew Allowance field adds a small amount of time to the start and end of the root

certificate's validity period. This permits a newly issued certificate to be recognized as valid in a network
where not all devices are perfectly synchronized.
The Digest Algorithm drop-down list allows you to specify which hash algorithm should be used.

Note: MD5 is not recommended for use with root certificates.
Mark the Generate CA certificate and invalidate all other certificates check box to confirm the
changes.
Click the

Setting Up an Intermediate Certificate Authority

The Intermediate Certificate Settings form is used to configure the distinguished name and properties for
the certificate authority's certificate, which will be issued by an external certificate authority.
Note: If you intend to change any of the intermediate certificate's distinguished name properties, and you
have previously created any client or server certificates or performed device provisioning using the existing
intermediate certificate, these certificates will be invalidated as the intermediate certificate's distinguished
name has changed.
In this case, you should use the Reset to Factory Defaults form (see
Configuration") to delete all client certificates and re-provision all devices. You will also need to reissue any
server or subordinate CA certificates.
To avoid the complication of revoking and reissuing certificates, it is recommended that you configure the
certificate authority before any device provisioning or other configuration is done.
72 | Onboard
Create Root Certificate button to save the settings and generate a new root certificate.
"Resetting Onboard Certificates and
ClearPass Guest 3.9 | Deployment Guide