Security

I did a CSR for my master controller and installed the certificate with the name wireless.xxx.yyy.edu. This is the name I would like to use as the URL for the captive portal redirect. How can I export the certificate with private key from the master to add to the local controllers?

You have to generate a CSR for each controller, just like you would for each server in the real world....

So I assume a second certificate with the same DNS name on a different controller wouldn't interfere? We'd like it to be lyndonwireless.xxx.yyy.zzz for all controllers.

My advice would be that you NOT generate the CSR on the controller, because we specifically make it very difficult (if not impossible) to get the private key off the controller.  If you want to use the same certificate on multiple controllers, I would suggest following this workflow:

 

1. Find a Unix box with OpenSSL on it

2. Generate the private key

3. Generate the CSR, using your desired hostname as the CN

4. Get the certificate from the CA

5. Put the certificate and private key back together as a PFX / PKCS#12 file, which will be password protected

6. Load the resulting file on all your controllers

 

There are lots of resources online to tell you how to do these common OpenSSL operations.  The one I typically refer to is here:  http://www.sslshopper.com/article-most-common-openssl-commands.html.  I'll cut and paste the important bits:

 

• Generate a new private key and Certificate Signing Request

  openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

 

• Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

  openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

 

Anyone know how to export and decrypt the private key?

 

I'm unable to use Green's adviced solution as I have to generate the CSR on the Aruba RAP itself, and need to store the Certificates on USB Flash Drives.

 

Would appreciate if someone with the knowledge could share the steps needed to get this done.

There are a lot of third party websites that you can use to do the csr. As Jon stated it is not easy to decrypt the pkey.

Thanks for your reply Troy, and I'm aware of the possiblity to generate the CSR on either third party websites or with openssl.

And I agree that this would be mutch easier.

 

My challenge is that this is not an accepted resolution and I need to create the CSR on the Aruba RAP.

I understand it not will be easy to decrypt the private key, but it should be possible. 

The private key cannot be exported from the controller.

Does the same answer also apply to the RAP3?

I have exported the private key trough the "Generate & save support file" function on the Aruba RAP. But the private key is encrypted.

Is there no way to decrypt it?

No you can't decrypt it by design. It uses the TPM module.

I have a question. 

if the controller on which, I had the certificate is dead. 

I get the new controller. I have the flashbackup from the old controller. 

I can just restore the flashbackup, and get the certificates on the new controller correct? 

 

I had the certificate in the flashbackup in the path

flashbackup1.tar\flash\certmgr\ServerCert\

Can i just take this server certificate and upload it on the new controller?

I was trying to do it, and it worked. I am not sure..if this is right way to  do..

 

However, I was not able to upload this same server cert(taken from the flashbackup) for captive-portal to IAP,  I dont know why.. I had the messge.. 

 

 

I just compared and checked the server cert from flashbackup, and the actual certificate. The private key was not the same. I wish to understand why?

 

 

I've tried this and I am receiving an error when trying to upload the cert in the controller. Its telling me that it is an invalid format.

Is this correct? (-in certificate.crt = server cert received from CA. -certfile CACert.crt = root cert)

Thanks in advance.

I am gettign this same error.

Anyone have an update?

Please contact support if you need to get this done sooner, rather than later..

 

Support was very helpful with this resolution.  Once you get the cert from the CA don't do the last step.  Get the intermediate and merge them together putting the intermediate above the server cert in the same file.

 

Similar to this:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC3bNP/cwKFtPzp
8POlTne123asSgV4tn97zzScVoyhrEsPz7SggL3B40RFb/sMsGbJnDIYer+ZuzxV

-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIFJTCCBA2gAwIBAgIETB2bFzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UE
BhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5l

-----END CERTIFICATE-----

 

Save the file and you should be able to upload it without any issues.  Worked for me and now have this same cert on 3 controllers and adding it to more.