Does Aruba Raps supports custom certificate and how to implement it

Aruba Employee
Aruba Employee

Introduction :


Aruba Access Points, Controllers and Switches are shipped with a Manufacturing Installed Certificate, which is issued by an Aruba CA. The Automatic custom certificate enrollment feature allows the customer to install device certificates on APs; CAs in the customer premise issues these certificates. The Aruba Wireless Controller acts as a Registration Authority (RA) during the enrollment procedure. The controller performs authentication and validation of the APs certificate requests before forwarding request to the CA.


Feature Notes :


Aruba devices include an Aruba CA issued device certificate. The private key of this certificate resides on a TPM chip on the device, whereas the public key is on flash. The devices use this key pair for authenticating themselves in IKE transactions with other Aruba Devices. In case of RAPs, to add more manageability and control, it is good to have RAP to have a custom certificate, issued by customer’s in house CA. Currently, some RAP’s can use custom certificates that are uploaded on them via USB or RAP web portal. But there is no way to have the RAP automatically enroll its certificate request and get a certificate issued by this in house CA without user intervention. Since RAPs have been deployed on many remote sites, using USB or WebUI to upload custom certificates on RAP is not scalable. Hence there is a need for RAPs to have a mechanism to automatically get custom certificate issued to them.


Network Topology : DMZ controller ---internet cloud --RAP


Configuration Steps :


Configuration for Custom Certificate Enrollment can be done through the Command Line Interface (CLI) through following steps.

  1. Configure the CA server URL.
  2. Enable automatic provisioning of Certificates on Remote APs.

NOTE: Currently, this command globally provisions all remote APs connecting to the controller.

  1. Enable Custom Certificate Enrollment.
  2. If your SCEP server does not issue certificate automatically, manually issue certificates at CA server for Controller and Remote APs.
  3. Configure VPN Service at controller to use Custom Certificate.  Please refer to the Aruba OS User Guide and command reference guild for more details.

NOTE: If remote APs were UP using a default certificate before enabling custom certificate enrollment, it is required to reboot remote APs manually.


Configuring CA URL and enabling custom cert enrollment
(Aruba3600) (config) #custom-cert-enroll
(Aruba3600) (Custom Cert Enrollment Profile) #
(Aruba3600) (Custom Cert Enrollment Profile) #ca-url
(Aruba3600) (Custom Cert Enrollment Profile) #auto-cert-prov
(Aruba3600) (Custom Cert Enrollment Profile) #ap-group PC_TEST_RAP <There can be multiple AP groups configured>
(Aruba3600) (Custom Cert Enrollment Profile) #enable
Display Custom certificate enrollment configuration
(Aruba3600) #show custom-cert-enroll
Custom Cert Enrollment Profile
Parameter               Value
---------               -----
Custom Cert Enroll      Enabled
Auto Cert Provisioning  Enabled
AP group             PC_TEST_RAP
CA URL        

Verifying Controller and CA Certificate has been installed
After Custom Cert enrollment is enabled, the controllers generate CSR for itself and sends a request to the CA for signing.  It also downloads the CA certificate.
Once the CA issues a signed certificate to the controller, it installs a  signed certificate and a CA certificate in flash with the name “raCert”  and “raCACert,” respectively.
(Aruba3600) #show crypto-local pki ServerCert
Name            Original Filename    Reference Count  Expired
--------------  -----------------    ---------------  -------
raCert          raCert.pem           1                No
(Aruba3600) #show crypto-local pki TrustedCA
Name            Original Filename   Reference Count  Expired
--------------  -----------------   ---------------  -------
raCACert      raCACert.pem      1                No

Version history
Revision #:
1 of 1
Last update:
‎11-09-2014 11:02 AM
Updated by:
Labels (2)
Search Airheads
Showing results for 
Search instead for 
Did you mean: