Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
Customers are recommended to replace the default certificate that comes with the Aruba controller when it is shipped from the factory. Among the benefits are:
- Added security.
- You own the expiration date.
- You can present your own URL (instead of the securelogin.arubanetworks.com) if you are using captive portal.
- You may not see any longer some annoying popups asking you whether you want to really trust the certificate.
First you need to obtain a certificate. There are several ways of doing this:
- You can buy one.
- You can get one from your CA.
- You can self-generate one.
However, some tips:
- Certificate needs to be in PEM 509 format.
- cn name must the the captive portal URL
- If you plan to use it with 802.1x server certificate, you must also specify the Extended Key Usage to include "server authentication" 220.127.116.11.18.104.22.168.1.
To generate your own self-signed certificate, follow these steps:
- Generate your own CA key: openssl genrsa -des3 -out ca.key 1024
- Generate your root CA cert: openssl req -new -x509 -days 1825 -key ca.key -out ca.cer
- Generate the desired server private key: openssl genrsa -des3 -out server.key 1024
- Generate the desired server cert request: openssl req -new -key server.key -out server.csr
- Sign the server cert request by your CA: openssl x509 -req -days 365 -in server.csr -CA ca.cer -Cakey ca.key -set_serial 01 -out server.cer
- Make the server private key unsecure (unencrypted with no password): openssl rsa -in server.key -out server.key.unsecure
- Combine the server cert and its private key into a .pem file: cat server.key.unsecure server.cer > server.pem
- Upload the file: Maintenance->Captive Portal->Upload Certificate