Command of the Day

Reply
Guru Elite
Posts: 20,981
Registered: ‎03-29-2007

COTD: crypto pki csr key - Generate a Certificate Signing Request

The Aruba Controller comes with built-in proof-of-concept equifax SSL certificate for protecting the web login for both adminstration, as well as captive portal users. The recommended practice is to replace this certificate with either one from public certificate authority (CA), or a CA in your own organization. To do this you would generate your own certificate signing request or CSR for that controller and send it off to the CA. You would do this with the crypto pki csr key command. You can generate key lengths (key_val) or 1024, 2048 or 4096 bits. The format is:



An example is here:



The controller will take a few minutes to generate the CSR and you can type show crypto pki csr to show the CSR:

(M3.arubanetworks.com) #show crypto pki csr

Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=NY, L=New York, O=Aruba Networks, OU=top, CN=testlabs.arubanetworks.com/emailAddress=bigdaddy@arubanetworks.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bb:d9:c1:d4:7f:cf:02:83:fa:eb:70:a2:f1:73:
ed:b6:c3:b4:c4:80:31:aa:24:60:c5:cc:ec:eb:82:
38:14:db:7f:e6:1f:c7:b0:4a:65:52:41:97:be:9f:
be:1a:da:d6:e5:b4:fd:91:3b:5c:bd:41:e6:f2:e6:
c5:52:07:2e:ce:84:c2:22:67:db:1b:b7:34:9a:9c:
d2:30:ae:25:02:49:00:ab:f3:ad:d8:0f:1a:71:67:
32:3a:89:1b:66:b5:62:ba:eb:da:d8:73:dc:da:cf:
64:e0:8e:a6:05:17:52:c2:9f:d0:56:c8:21:77:3b:
11:a7:26:ea:a5:e5:cd:15:60:01:d5:9d:d5:30:54:
e7:0d:31:e6:85:75:c3:87:fc:75:0c:05:bb:6c:1e:
01:ac:8c:70:b7:e0:d9:72:3d:7b:3d:19:99:bb:78:
67:71:d8:2a:1d:93:08:ff:03:08:53:ba:8f:45:d1:
a0:40:95:1a:cc:c7:b5:7c:31:39:86:f6:01:e7:52:
18:96:f0:a6:e6:34:14:df:a7:38:59:e0:c1:6d:db:
9a:c4:e6:e1:85:3d:70:55:1f:a9:73:a3:5e:a7:56:
80:d3:0c:69:b6:c6:f0:ae:c7:37:e3:9a:da:9a:44:
71:05:30:0a:1d:ea:be:30:b4:f8:f0:70:33:a9:fa:
17:f9
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha1WithRSAEncryption
18:d4:54:f0:cb:f9:a2:d5:32:32:d2:32:78:19:8b:0e:3f:d5:
41:c9:3e:b6:57:95:56:e5:e9:b0:ba:b8:fe:de:b6:ed:28:3a:
16:62:79:ca:c3:a2:ff:75:e4:f7:ab:f9:bb:26:1c:e4:ef:75:
2a:79:f7:8a:c3:00:43:7d:94:0c:84:a3:13:28:2f:95:1e:67:
2c:ed:1a:7b:f8:b7:3d:72:87:9d:b4:54:cd:28:81:e0:00:4a:
d1:b3:6d:5b:b4:c2:a9:b0:04:96:9e:c1:ce:5a:3b:f4:be:da:
d5:7e:ca:39:85:08:dc:df:d2:c3:c0:36:fb:0b:d5:ac:51:54:
29:8d:73:ac:bc:86:a0:34:5f:f0:1d:9e:2e:1c:bc:6c:0b:44:
bb:ce:3c:b2:86:38:cc:20:c0:a0:93:db:b8:e9:38:ce:3c:48:
86:cc:41:ac:86:c1:de:c7:04:2e:8b:9b:1f:fa:42:50:07:41:
a8:03:cf:06:ed:9b:12:44:8f:f6:06:f7:44:cd:0f:37:62:fe:
3f:00:cb:a4:05:6a:29:c5:79:0b:58:e0:bc:39:f9:12:46:17:
b2:5b:b2:11:0b:59:b7:e9:f7:62:5e:b6:d7:21:04:91:42:13:
64:fa:71:fd:f6:85:c3:7c:02:03:1e:e2:d5:75:83:f6:7c:c0:
7b:cf:89:9e
-----BEGIN CERTIFICATE REQUEST-----
MIIC6TCCAdECAQAwgaMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOWTERMA8GA1UE
BxMITmV3IFlvcmsxFzAVBgNVBAoTDkFydWJhIE5ldHdvcmtzMQwwCgYDVQQLEwN0
b3AxIzAhBgNVBAMTGnRlc3RsYWJzLmFydWJhbmV0d29ya3MuY29tMSgwJgYJKoZI
hvcNAQkBFhljam9zZXBoQGFydWJhbmV0d29ya3MuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu9nB1H/PAoP663Ci8XPttsO0xIAxqiRgxczs64I4
FNt/5h/HsEplUkGXvp++GtrW5bT9kTtcvUHm8ubFUgcuzoTCImfbG7c0mpzSMK4l
AkkAq/Ot2A8acWcyOokbZrViuuva2HPc2s9k4I6mBRdSwp/QVsghdzsRpybqpeXN
FWAB1Z3VMFTnDTHmhXXDh/x1DAW7bB4BrIxwt+DZcj17PRmZu3hncdgqHZMI/wMI
U7qPRdGgQJUazMe1fDE5hvYB51IYlvCm5jQU36c4WeDBbduaxObhhT1wVR+pc6Ne
p1aA0wxptsbwrsc345ramkRxBTAKHeq+MLT48HAzqfoX+QIDAQABoAAwDQYJKoZI
hvcNAQEFBQADggEBABjUVPDL+aLVMjLSMngZiw4/1UHJPrZXlVbl6bC6uP7etu0o
OhZiecrDov915Per+bsmHOTvdSp594rDAEN9lAyEoxMoL5UeZyztGnv4tz1yh520
VM0ogeAAStGzbVu0wqmwBJaewc5aO/S+2tV+yjmFCNzf0sPANvsL1axRVCmNc6y8
hqA0X/Adni4cvGwLRLvOPLKGOMwgwKCT27jpOM48SIbMQayGwd7HBC6Lmx/6QlAH
QagDzwbtmxJEj/YG90TNDzdi/j8Ay6QFainFeQtY4Lw5+RJGF7JbshELWbfp92Je
ttchBJFCE2T6cf32hcN8AgMe4tV1g/Z8wHvPiZ4=
-----END CERTIFICATE REQUEST-----



You would copy the text and send it off to the CA.

When the CA returns the certificate to you, you would copy it to the controller's flash subsystem via ftp, tftp or scp and then use the crypto pki-import command to replace the controller's proof-of-concept certificate with that of the certificate authority.

If you screw it up, or import the wrong certificate, dont worry. Use the restore factory_default certificate command.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: