Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
Captive portal provides a Layer 3 authentication method (all authentication is over IP) using http or https. https is consider to be secure because the username/password is encrypted. To make https to work, we must have a certificate for captive portal.
Prior to ArubaOS 3.2, the captive portal certificate management was done by the captive portal process itself. ArubaOS 3.2 and later offloads the certificate management function to the certificate manager process so that the captive portal can enjoy all the features that the certificate manager provides (such as, generate CSR and auto CRL check).
The majority of the captive portal certificate issues are related to the way the certificate is uploaded.
With ArubaOS 2.x and 3.1, the certificate has to be in x.509 unencrypted PEM format. So the certificate must be either generated in this format or be converted.
With ArubaOS 3.2 and later code, the certificate is managed by the certificate manager so the following formats will be supported:
- X509 PEM unencrypted
- X509 PEM encrypted w/ key
- PKCS12 encrypted
Internally, the certificates will be converted and encrypted using x509 PEM encrypted formats, but will be re-encrypted with a different key.
If the controller cert (server cert) is signed by an intermediate CA that is not in the client trusted certificate store, then the intermediate CA certificate should be chained up to the point that the CA is actually presented in the client trusted CA certificate store.
To do this,
The order of the certificates in PEM format into the Aruba switch needs to be:
- server cert (public and private)
- intermediate CA (public)
- a CA that signed the previous CA (public) if this CA is not in the user's browser
In UNIX lingo (assuming two intermediate CAs, all certificates in x509 PEM unencrypted format)
cat server.cert intermediate1.cert intermediate2.cert CA.cert > cert.pem
Then import cert.pem into the GUI.
In addition, the file that contains the private key goes last.