Controller Based WLANs

How do I generate, install, and manage a certificate for the controller?

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x.

  

To generate, install, and manage a certificate for the controller, follow these steps:

 

1)   Generate the CSR on the controller.

 

Fill all the fields for the CSR information. Ensure that you do not use abbreviations for State/Province. Some Certificate Authorities (such as, VeriSign) do not accept abbreviations of this field. Click Generate New.

 

2)   Click View Current to view the CSR.

 

3)   Copy the text from "-----BEGIN CERTIFICATE REQUEST-----" to "-----END CERTIFICATE REQUEST-----" (including these two lines as well).

 

This text will be send to your preferred certificate authority (CA). You can also saved it using any text editor and send it to your CA as an attachment.

 

4)   The following are the preferred cetificate options:

  •  Server-type: Apache
  •  Purpose: Web Server
  •  Type: PEM

 

5)   After you submit the CSR to the CA, the CA will provide the signed copy of the certificate, and you can now upload the signed certificate to the controller using the Web management interface.

 

6)   You can use the new certificate loaded for captive portal authentication, WebUI Management Authentication, or 802.1x termination. The following screens illustrate the options available on the management user interface.

 

Certificates could be signed by an intermediate CA, which may not be trusted by the stations. In this case, you will need to chain the certificate before uploading it to the controller. Obtain the intermediate CA certificate from your CA in PEM format or else you must convert the certificate using a tool like openSSL.

 

To chain the certificate, append the intermediate CA certificate into the signed server certificate provided by your CA using any text editor, save the file, and follow step 5 to upload the chained certificate to the controller.

 

Version History
Revision #:
1 of 1
Last update:
‎08-07-2014 08:06 AM
Updated by:
 
Labels (1)
Contributors
Comments
Elvis_Teah

You only explained how to generate the CSR. How do you upload the signed certificate back into the controller

Guru Elite Guru Elite

Configuration > Certificates > Upload

martinpoulin

That's fine for WebUI, but what happens when the WebUI is locked out due to a revoked certificate?  They can only access the CLI.  The documentation just brushes over that part:  

In the CLI

Use the following command to import CSR certificates:

crypto pki-import {der|pem|pfx|pkcs12|pkcs7} {PublicCert|ServerCert|TrustedCA} <name>

The following example imports a server certificate named cert_20 in DER format:
crypto pki-import der ServerCert cert_20

 

The crucial step missing is where to upload the certificate via the CLI.  what's the TFTP command to do that?

 

Guru Elite Guru Elite
You can use an alternative browser or disable OCSP/CRL checks temporarily to access the UI.

Instructions on adding a cert via the CLi are provided in the user guide.


http://www.arubanetworks.com/techdocs/ArubaOS_6_4_1_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Management_Utilities/Managing_Certificates.htm
martinpoulin

Customer claims all browsers refuse to load the page, saying "certificate revoked".

The documentation lists multiple locations for certificates.

 

Which directory do I upload the generated certificate to?

/flash/certmgr/?

/flash/certmgr/trustedCAs? 

/flash/certmgr/serverCerts?

/flash/certmgr/CSR?

/flash/certmgr/publiccert?

or just /flash/???

 

Guru Elite Guru Elite
It just needs to be copied to the flash root.

If you temporarily disable OCSP/CRL checks in your browser, you will be able to access the UI.
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.