09-22-2016 03:47 PM
So with this whole revoked cert issue we are trying to obtain a new SSL cert for our IAP 215 captive portal setup. My understanding is we can create the CSR from any machine but then isn't the keys all tied to that machine. I guess what I am asking is will we have issues using this new SSL key on the IAP for the captive portal once the process is complete? Everything I have read says that the Key Pair and CSR all need to be prepared on the server/machine it will be used on, but the IAP Instant OS does not allow for you to create a CSR from the device. So is this going to be an issue with the IAP and the CA? or do they only care that the IAP has the associated key?
Solved! Go to Solution.
09-22-2016 03:51 PM
When you generate the CSR on an external box, it will also generate the private key. You then combine the private key, signed public cert and intermediates into a PEM file.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
09-23-2016 01:25 PM
Hm. Not having any joy with this process. We keep getting an invalid format for the pem file according to the IAP. I had to convert the pfx file to crt file in order to assemble the .pem file. We used our private key, the cert, and one of the 2 intermediate ca certs. Everything had the begin and end info. We even moved over to Linux to verify that we had not next line stuff in it, using the translate command... My only other thought is if with the pfx convert to crt using windows based openssl. That or we are using the wrong provided intermediate certs.
09-24-2016 04:33 AM
------BEGIN CERTIFICATE----- <your instant certificate here> ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- <intermediate cert here> ------END CERTIFICATE----- ------BEGIN PRIVATE KEY----- <PEM of your private key here> ------END PRIVATE KEY-----
You can just open a text window and combine the files like above. Is this the order?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
09-26-2016 08:07 AM
So you're saying the order is wrong in the FAQ on this?
I went with:
public (instant in your reference)
So in our case I used a Windows server to create the CSR and private key. then export the private and used windows based openssl to convert the pfx file into unencrypted crt file, then pasted our private key into a plain text file called cert.pem with the private first then our COMODORSADomainValidationSecureServerCA.crt and then our COMODORSAAddTrustCA.crt..
This time, the IAP accepted the format and things seemed to be working Friday but I think ti was still granting based on the old Aruba. Now we can not get passed the captive portal acceptance.
I'll try your order and see. Do we need to make any changes to the captive portal afterwards? I assumed no but thought I better check.
09-26-2016 08:18 AM
We just noticed the certificate info under the InstantOS for the virtual controller shows Aruba default server certificate and some our comodo certs. Should it not have cleared all that out and only loaded ours.
09-26-2016 08:36 AM
OK I was looking at the user guide for IAP again. Do we need to upload the same cert twice? Once for the CA and once for the Auth server or the captive portal server? We are wanting to use the captive portal for our guest network. We do not use the internal DB user/password option for the captive portal.
09-26-2016 10:02 AM
Hm, do we need to edit the securelogin.arubanetworks.com to reflect our domain for the captive portal to work as well? We are currently experiencing 2 issues, one is the captive portal cert in the browser is still implying it is not valid indicates Aruba info sin it. The other is our external proxy is broke after running an update on it over the weekend.
So is it possible the invalid cert info in the browser has to do with the captive portal url pointing to securelogin.aruba.....
If we have 2 intermediate ca certs do use them both? I used the first one but not the second in our pem. Also I someone said to include the addtrustexternalcaroot.crt to the pem as well, yes or no?
I did open a support case.
09-26-2016 02:42 PM
I opened a support ticket but there cert order for the pem file did not work for either "certificate type: CA or Captive Portal Server"
What I did get to work was this:
1) Uploaded "Certificate Type: CA"
pem file contained private key and both intermediate CA certs but for some reason only when the 2nd intermediate was placed before the 1st.
This did not resolved the captive portal issue so I have no clue what it did if anything, but was successfully uploaded.
2) Uploaded "Certificate Type: Captive Portal Server"
Pem contained the following in the following order:
-1st Intermediate CA
-2nd Intermediate CA
Upload was successful and the Captive Portal secure icon turned green and the acceptance acknowledgement worked fine. Guests can now get to the internet.
The Default Server CA still shows the https://securelogin.arubanetworks.com/ cert info but then shows our vendor CA info and our CP CA info for our public domain right under that. This appears to be correct based on some info I found about internal captive portal versus external captive portal. If we used an external captive portal then we would have needed to edit the securelogin info to reflect securelogin.mydomain.com, but since we are using the internal one this is normal.