This guide shows you how to generate a CSR (Certificate Signing Request) on Aruba ClearPass Policy Manager (CPPM). ClearPass is HPE Aruba Networking’s AAA / network access control appliance, so the CSR is created entirely in the web admin console, without shell access. The steps below apply to CPPM 6.x, including the current 6.12 line, and the workflow has been stable across recent releases.
One thing to understand before you start: ClearPass binds each CSR to a specific node (the appliance you generate it on) and to a specific Usage (RADIUS/EAP, HTTPS, RadSec, Database, or a Service certificate). The private key stays on that node, and when the signed certificate comes back from the CA you must import it against the same node and the same Usage. If you run a ClearPass cluster, repeat the process per node.
Generate the CSR on Aruba ClearPass
If you already have a CSR generated elsewhere (for example with our CSR Generator), you can skip ahead to the Aruba ClearPass SSL installation instructions. Note, however, that a CSR created off-appliance produces its private key off-appliance too, so you will install the signed certificate as a PKCS#12 bundle rather than completing a pending request on the node.
Step 1: Sign in to ClearPass Policy Manager
Open the ClearPass admin URL (for example https://clearpass.example.com/tips/) and sign in with an administrator account that has rights to manage certificates.
Step 2: Open the Certificate Store
From the left menu, go to Administration > Certificates > Certificate Store, and make sure the Server Certificates tab is selected. On older CPPM builds the path is Administration > Certificate > Server Certificate; the screens are otherwise the same.
At the top of the page, set the two selectors that scope the CSR:
- Select Server: choose the ClearPass node you are generating the CSR on. The private key will live on this node only.
- Select Usage (also labeled Type on some builds): pick the certificate role this CSR is for. The common choices are RADIUS/EAP Server Certificate (the default, used for 802.1X authentication), HTTPS Server Certificate (the admin and captive-portal web UI), RadSec Server Certificate (RADIUS over TLS), and Database Server Certificate. Each role can carry its own certificate, so generate one CSR per role you need to replace.
Then, on the right side, click Create Certificate Signing Request.
Step 3: Fill in the certificate details
In the Create Certificate Signing Request window, complete the fields as follows:
- Common Name (CN): the fully qualified domain name you want to secure, for example clearpass.example.com. For a wildcard certificate, lead with an asterisk and a dot, for example *.example.com.
- Organization (O): the full legal name of your company, for example Example Holdings LLC.
- Organizational Unit (OU): leave blank. Public CAs no longer include the OU field in publicly trusted TLS certificates (CA/Browser Forum Baseline Requirements removed it in 2022), and many CAs strip the value during issuance.
- Location (L): the city where the organization is registered, for example San Jose.
- State (ST): the full name of the state, region, or county. Use California, not CA.
- Country (C): the ISO 3166 two-letter country code, for example US, GB, or DE.
- Subject Alternative Name (SAN): list every DNS name and IP address the certificate must cover, including the Common Name. ClearPass expects the entries with their type prefix, separated by commas (see the example below the list).
- Private Key Password: set a strong passphrase. You will need it when you import the signed certificate later, so store it safely.
- Verify Private Key Password: re-enter the same passphrase.
- Key Length: select 2048 bits. Choose 4096 only if your security policy mandates it, since longer RSA keys add CPU cost on every TLS handshake. ECDSA (P-256) is also accepted on supported Usage types if your CA issues ECDSA certificates.
- Digest Algorithm: select SHA-256. SHA-1 is not accepted by public CAs and is rejected by modern clients.
- Valid for: leave this field blank when the CSR is going to a public CA. The CA sets the validity period of the issued certificate, currently capped at 200 days for new public TLS certificates issued on or after March 15, 2026.
A valid SAN value looks like this:
DNS:clearpass.example.com, DNS:cppm-node1.example.com, IP:10.0.0.10
Double-check every field, then click Submit.
Step 4: Download the CSR
ClearPass displays the Base64 contents of the new CSR. Click Download CSR to save the file with a .csr extension. The private key is generated at the same time and stays on the appliance, against the node and Usage you selected, until the signed certificate is imported.
Open the downloaded file in any plain-text editor (Notepad, TextEdit in plain-text mode, or your code editor of choice). The content starts and ends like this:
-----BEGIN CERTIFICATE REQUEST-----
MIIC...
-----END CERTIFICATE REQUEST-----
Copy the entire block, including the BEGIN and END lines, and paste it into the CSR field on your SSL certificate order page. Before you submit, you can sanity-check the contents (CN, SAN, key size, signature algorithm) with our CSR Decoder.
After your CA validates the request and issues the certificate, follow the Aruba ClearPass SSL installation instructions to import the signed certificate. Make sure you select the same node and the same Usage when you import: the pending private key only matches a certificate imported against the slot it was created for.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


