Security

Heads up guys - there are changes coming up with Google Chrome in regards to errors it'll display if SHA-1 is used for SSL certificates. Solution - migrate the certs to SHA-2. Checkout the articles below:

https://garage.godaddy.com/webpro/security/google-chrome-phasing-ssl-certs-using-sha-1/

http://googleonlinesecurity.blogspot.sg/2014/09/gradually-sunsetting-sha-1.html

What are the controller certificates using?, it looks like SHA-1.

Indeed it appears so. I have escalated it to the appropriate team internally

ArubaOS has had support for SHA256 and SHA384 since version 6.1.  The certificates installed on it are using whatever you requested when you installed those certificates.  Because you're not using "securelogin.arubanetworks.com" in a production network, right? :)

Most of our customers are, for many reasons. Some can't get a public certificate as they don't own a domain. Some simply cant be bothered replacing it.

I have a hard time being sympathetic to this - domains and certificate are very inexpensive these days.  The bigger concern I have is that use of a common certificate, which doesn't cause browser warnings, gives people the impression of security when actually there is none.  Maybe Chrome generating SHA1 warnings will help people understand that this certificate is not safe to be using.

Once this latest certificate expires (unfortunately not until 2017) I think we're going to move to a model where each controller generates a self-signed certificate.  Using a public certificate where the private key is known to everyone is ultimately a disservice to our customers, and we probably shouldn't have started doing it way back in the day.  Had I known...