Security

Reply
Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Multi-controller captive portal SSL certificate

I did a CSR for my master controller and installed the certificate with the name wireless.xxx.yyy.edu. This is the name I would like to use as the URL for the captive portal redirect. How can I export the certificate with private key from the master to add to the local controllers?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 20,966
Registered: ‎03-29-2007

Re: Multi-controller captive portal SSL certificate

You have to generate a CSR for each controller, just like you would for each server in the real world....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: Multi-controller captive portal SSL certificate

So I assume a second certificate with the same DNS name on a different controller wouldn't interfere? We'd like it to be lyndonwireless.xxx.yyy.zzz for all controllers.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Moderator
Posts: 243
Registered: ‎09-12-2007

Re: Multi-controller captive portal SSL certificate

My advice would be that you NOT generate the CSR on the controller, because we specifically make it very difficult (if not impossible) to get the private key off the controller.  If you want to use the same certificate on multiple controllers, I would suggest following this workflow:

 

1. Find a Unix box with OpenSSL on it

2. Generate the private key

3. Generate the CSR, using your desired hostname as the CN

4. Get the certificate from the CA

5. Put the certificate and private key back together as a PFX / PKCS#12 file, which will be password protected

6. Load the resulting file on all your controllers

 

There are lots of resources online to tell you how to do these common OpenSSL operations.  The one I typically refer to is here:  http://www.sslshopper.com/article-most-common-openssl-commands.html.  I'll cut and paste the important bits:

 

  • Generate a new private key and Certificate Signing Request
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

 

  • Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)

    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

 

---
Jon Green, ACMX, CISSP
Security Guy
Contributor I
Posts: 27
Registered: ‎05-13-2010

Re: Multi-controller captive portal SSL certificate

I've tried this and I am receiving an error when trying to upload the cert in the controller. Its telling me that it is an invalid format.

Is this correct? (-in certificate.crt = server cert received from CA. -certfile CACert.crt = root cert)

Thanks in advance.
New Contributor
Posts: 1
Registered: ‎08-03-2012

Re: Multi-controller captive portal SSL certificate

I am gettign this same error.

Anyone have an update?

Guru Elite
Posts: 20,966
Registered: ‎03-29-2007

Re: Multi-controller captive portal SSL certificate

Please contact support if you need to get this done sooner, rather than later..

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 27
Registered: ‎05-13-2010

Re: Multi-controller captive portal SSL certificate

Support was very helpful with this resolution.  Once you get the cert from the CA don't do the last step.  Get the intermediate and merge them together putting the intermediate above the server cert in the same file.

 

Similar to this:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC3bNP/cwKFtPzp
8POlTne123asSgV4tn97zzScVoyhrEsPz7SggL3B40RFb/sMsGbJnDIYer+ZuzxV

-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIFJTCCBA2gAwIBAgIETB2bFzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UE
BhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5l

-----END CERTIFICATE-----

 

Save the file and you should be able to upload it without any issues.  Worked for me and now have this same cert on 3 controllers and adding it to more.

New Contributor
Posts: 3
Registered: ‎08-27-2014

Re: Multi-controller captive portal SSL certificate

Anyone know how to export and decrypt the private key?

 

I'm unable to use Green's adviced solution as I have to generate the CSR on the Aruba RAP itself, and need to store the Certificates on USB Flash Drives.

 

Would appreciate if someone with the knowledge could share the steps needed to get this done.

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Multi-controller captive portal SSL certificate

There are a lot of third party websites that you can use to do the csr. As Jon stated it is not easy to decrypt the pkey.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: