Controller Based WLANs

How can I use OpenSSL to create CA, server, and public certificates to import into Aruba controllers?

by on ‎07-02-2014 06:02 PM

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.

 

The CA, server, and public certificates are used for:

  • SSH public certificate authentication
  • captive portal server certificate
  • WebGUI server certificate
  • TLS client authentication

This example uses OpenSSL 1.0.0 29 Mar 2010 to generate the certificates. This is in addition to ArubaOS product documentation and other KBs about the same subject.

This example uses a subdirectory /pki, which has a further subdirectory /private for storing the private keys.

Certificate/keys should be created using a protecting passphrase.

1) Create a PKI directory /opt/pki by copying /etc/ssl/openssl.cnf to /opt/pki.

2) Create a custom openssl.cnf file.
Modify as follows and adjust the defaults for your settings: (note: it may be expedient to create a new file for each controller, using the same CA root certificate as might a real PKI)


dir = /opt/pki
default_days = 3650
default_md = sha1
countryName_default = DE
stateOrProvinceName_default = NoSTATE
localityName_default = Berlin
0.organizationName_default = Aruba Networks
organizationalUnitName_default = Customer Advocacy
commonName_default = Private_SS_CA
emailAddress_default = xxxxx@arubanetworks.com

Modify the v3_ca section to add this line:
[ v3_ca ]
extendedKeyUsage = serverAuth, clientAuth

3) Generate a self-signed CA certificate and key pair.

# self-signed CA cert
#openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config /bnet/pki/openssl.cnf

The cacert.pem and /opt/pki/private/cakey.pem files are created.

4) Generate a server certificate and key pair.
HOST is the hostname of the controller or server. Repeat this step to generate additional server or controller certificates.

openssl req -new -nodes -out HOST-req.pem -keyout private/HOST-key.pem -config /opt/pki/openssl.cnf

openssl ca -config /opt/pki/openssl.cnf -out HOST-cert.pem -infiles HOST-req.pem

cp HOST-cert.pem HOST-cert-AOS.pem
cat private/HOST-key.pem >> HOST-cert-AOS.pem


The HOST-req.pem, /opt/pki/private/HOST-key.pem, and HOST-cert.pem files are created.

5) Combine the server certificate and private key into one file.

cp HOST-cert.pem HOST-cert-AOS.pem
cat private/HOST-key.pem >> HOST-cert-AOS.pem


The HOST-cert-AOS.pem file is created.

6) Verify the server certificate and key pair:

openssl x509 -noout -modulus -in HOST-cert.pem | openssl md5 ; openssl rsa -noout -modulus -in private/HOST-key.pem | openssl md5 | uniq

The resulting numbers should match:

(stdin)= c0eeb1ee1824341c70ffd0e01a604849
(stdin)= c0eeb1ee1824341c70ffd0e01a604849

7) Generate a client certificate and key pair.
CLIENT is a username or hostname of the client device. Repeat this step to generate additional client certificates.

openssl req -new -nodes -out CLIENT-client-req.pem -keyout private/CLIENT-client-key.pem -config /bnet/pki/openssl.cnf

openssl ca -config /bnet/pki/openssl.cnf -out CLIENT-client-cert.pem -infiles CLIENT-client-req.pem

The CLIENT-req.pem, /opt/pki/private/CLIENT-key.pem, and CLIENT-cert.pem files are created.

8) Verify the client certificate and key pair.

openssl x509 -noout -modulus -in CLIENT-cert.pem | openssl md5 ; openssl rsa -noout -modulus -in private/CLIENT-key.pem | openssl md5 | uniq

The resulting numbers should match:

(stdin)= 634dbe80fe2fb87ffb3ed1997801ba48
(stdin)= 634dbe80fe2fb87ffb3ed1997801ba48

9) Export the client certificates to the PKCS12 and DER format, which are binary formats.

openssl pkcs12 -export -in CLIENT-client-cert.pem -inkey private/CLIENT-client-key.pem -out CLIENT-client-cert.p12

openssl x509 -outform der -in CLIENT-client-cert.pem -out CLIENT-client-cert.der

10) Verify the client certificate and key pair.

openssl x509 -inform der -in CLIENT-client-cert.der -noout -text
openssl x509 -inform der -in CLIENT-client-cert.der

openssl pkcs12 -in CLIENT-client-cert.p12 -info -noout
openssl pkcs12 -in CLIENT-client-cert.p12 -noout
openssl pkcs12 -in CLIENT-client-cert.p12 -out pkcs12_verify.tmp
cat pkcs12_verify.tmp

11) Upload the CA, server, and public certificates to the ArubaOS controller.

In the WebUI, select and upload each certificate. In each case, select the type of certificate and select PEM as the format.

Trusted CA Certificate cacert.pem
Server Certificate HOST-cert-AOS.pem
Public Certificate CLIENT-client-cert.pem

After the server certificate HOST-cert-AOS.pem is installed, it can be selected as the captive portal and WebUI certificate.

The trusted CA certificate is used for captive portal and TLS client termination.

The public certificate is used for SSH authentication and TLS client termination.

Consult the relevant ArubaOS user and reference guides for more detail.

These files must be securely copied to devices that will use client certificate authentication for WebGUI or TLS:

  • cacert.pem
  • CLIENT-client-cert.pem
  • CLIENT-client-key.pem

(Some systems may require the *.der or *.pkcs12 format files.)

To use SSH with certificate authentication, the CLIENT-client-cert.pem file must be copied to each host that will use certificate SSH authentication.

To configure and test client certificate connection, log into the controller CLI and configure a userid to use SSH public key authentication. (This presumes the public certificate is already installed on the controller.)

Obtain the name of the public certificate as installed on the controller:

show crypto-local Pki PublicCert
cx200_client CLIENT-client-cert.pem 1

Configure a management user ID for SSH public key authentication:

config t
mgmt-user ssh-pubkey client-cert cx200_client netadmin root
exit

From the host where the public key has been copied, issue these commands:

chmod 600 CLIENT-client-cert.pem

ssh -i ./CLIENT-client-cert.pem netadmin@<CONTROLLER IP>

You are prompted for the key passphrase.

The user netadmin relies upon certificate authentication and is logged into the CLI without entering a password.

Continue with certificate usage by configuring the controller to use the new certificates for WebUI, Captive Portal, and TLS authentication.

Consult the ArubaOS User and Reference Guides for details.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.