Controllerless Networks

So with this whole revoked cert issue we are trying to obtain a new SSL cert for our IAP 215 captive portal setup.  My understanding is we can create the CSR from any machine but then isn't the keys all tied to that machine.  I guess what I am asking is will we have issues using this new SSL key on the IAP for the captive portal once the process is complete?  Everything I have read says that the Key Pair and CSR all need to be prepared on the server/machine it will be used on, but the IAP Instant OS does not allow for you to create a CSR from the device. So is this going to be an issue with the IAP and the CA? or do they only care that the IAP has the associated key?

Take a look at this: https://community.arubanetworks.com/t5/Controller-less-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Instant/ta-p/275814


When you generate the CSR on an external box, it will also generate the private key. You then combine the private key, signed public cert and intermediates into a PEM file.

Thanks I think I missed that info when I read that the first time around. 

Hm.  Not having any joy with this process.  We keep getting an invalid format for the pem file according to the IAP.  I had to convert the pfx file to crt file in order to assemble the .pem file.  We used our private key, the cert, and one of the 2 intermediate ca certs.  Everything had the begin and end info.   We even moved over to Linux to verify that we had not next line stuff in it, using the translate command... My only other thought is if with the pfx convert to crt using windows based openssl.  That or we are using the wrong provided intermediate certs. 

 ------BEGIN CERTIFICATE-----
 <your instant certificate here>
 ------END CERTIFICATE-----
 ------BEGIN CERTIFICATE-----
 <intermediate cert here>
 ------END CERTIFICATE-----
 ------BEGIN PRIVATE KEY-----
 <PEM of your private key here>
 ------END PRIVATE KEY-----

 You can just open a text window and combine the files like above.  Is this the order?

So you're saying the order is wrong in the FAQ on this?

I went with:

private

public (instant in your reference)

intermediate

 

So in our case I used a Windows server to create the CSR and private key.  then export the private and used windows based openssl to convert the pfx file into unencrypted crt file, then pasted our private key into a plain text file called cert.pem with the private first then our COMODORSADomainValidationSecureServerCA.crt and then our COMODORSAAddTrustCA.crt..

 

This time, the IAP accepted the format and things seemed to be working Friday but I think ti was still granting based on the old Aruba.  Now we can not get passed the captive portal acceptance.  

 

I'll try your order and see.  Do we need to make any changes to the captive portal afterwards?  I assumed no but thought I better check.

 

We just noticed the certificate info under the InstantOS for the virtual controller shows Aruba default server certificate and some our comodo certs.  Should it not have cleared all that out and only loaded ours.  

OK I was looking at the user guide for IAP again. Do we need to upload the same cert twice?  Once for the CA and once for the Auth server or the captive portal server?  We are wanting to use the captive portal for our guest network.  We do not use the internal DB user/password option for the captive portal. 

Hm, do we need to edit the securelogin.arubanetworks.com to reflect our domain for the captive portal to work as well?  We are currently experiencing 2 issues, one is the captive portal cert in the browser is still implying it is not valid indicates Aruba info sin it. The other is our external proxy is broke after running an update on it over the weekend.  

So is it possible the invalid cert info in the browser has to do with the captive portal url pointing to securelogin.aruba.....   

 

If we have 2 intermediate ca certs do use them both? I used the first one but not the second in our pem. Also I someone said to include the addtrustexternalcaroot.crt to the pem as well, yes or no?

 

I did open a support case. 

I opened a support ticket but there cert order for the pem file did not work for either "certificate type: CA or Captive Portal Server"

 

What I did get to work was this:

1)   Uploaded "Certificate Type:  CA"

pem file contained private key and both intermediate CA certs but for some reason only when the 2nd intermediate was placed before the 1st.   

This did not resolved the captive portal issue so I have no clue what it did if anything, but was successfully uploaded. 

 

2)  Uploaded "Certificate Type: Captive Portal Server"

Pem contained the following in the following order:

-Private key

-Server cert

-1st Intermediate CA

-2nd Intermediate CA

Upload was successful and the Captive Portal secure icon turned green and the acceptance acknowledgement worked fine.  Guests can now get to the internet. 

 

 

The Default Server CA still shows the https://securelogin.arubanetworks.com/  cert info but then shows our vendor CA info and our CP CA info for our public domain right under that. This appears to be correct based on some info I found about internal captive portal versus external captive portal.  If we used an external captive portal then we would have needed to edit the securelogin info to reflect securelogin.mydomain.com, but since we are using the internal one this is normal.  

 

I am having the exact same issue and the information i am getting is misleading, tac and the FAQ.

What info, Pmonardo?

Hi Cjoseph,

I believe my issue now was the fact that my internal CA didn't deliver the certificate properly so whatever I read online or the way it was supposed to be chained together as per TAC was not working.

I have since bypassed my CA and we purchased a publicly signed one and chained it like so:

server cert
intermediate CA
intermediate CA
root CA
private key

Uploaded it and it was successful