Security

Hi,

 

Per a recent announcement, we would like to stop using the default Aruba certificate for our captive portal and management UI.  Our method going forward is to buy a wildcard certificate for this purpose.

 

Before we determined we wanted to use a wildcarad, I created a CSR on one of our controllers, had it signed by our local CA, and imported it to the controller.  My question for the wildcard cert creation/import/assignment is:

 

Do I have to create a CSR on each individual controller, then have it signed by the wildcard CA?

 

Several other Airheads threads indicate the use of OpenSSL CLI to create/manage these certs, but I was under the impression that a CSR must be generated on the device it will be used on.  Is that wrong?

You probably don't want to be using a privately signed cert for captive
portal. All of your users will receive a certificate warning because they
won't have the CA. You may want to consider getting a public wildcard that
can be used across all of your controllers (Please check with your security
team first).

Hey Tim,

 

Thanks for the reply.  We have determined a public wildcard cert is what we're going with due to that exact reason.  Does that help clarify what I'm trying to do?

 

Essentially I just need to know whether I need to create a CSR from each individual controller in our environment for signing from our wildcard CA.

You're referring your CA. Is that a private or public CA?



If you want to use a certificate across multiple controllers, you need to do
the CSR on an external server like Linux or Windows so you can export the
private key and then import to each controller. If you already have a
wildcard cert with private key, you just need to import it to each
controller.

This will be a public CA, for example DigiCert.  So if I'm understanding this correctly, I'd need to:

 

1. Create CSR on Linux system with OpenSSL

2. Export CSR to DigiCert for wildcard signing

3. Import signed certificate onto Aruba controllers

4. Assign certificate for use on management UI and captive portal

 

Looking over the certificate management document on Aruba's website and various options via the management UI, I don't see any option to upload a private key.

Patrick,

 

Don't use a wildcard certificate for your controller UI; specially not if you are using it to redirect or do captive portal authentication. The issue is that the controller will listen (intercept) for authentication on the Common Name (CN) of the installed certificate, which will be *.yourdomain.com, and you cannot point clients to there.

 

Make sure that the certificate installed on the controller has a non-wildcard common-name.

 

Then, I would go indeed for generating the key pair and CSR on a (Linux) system with OpenSSL so you have access to the private key. If you use the controller to generate key and CSR you won't have access to the key and cannot install it on multiple controllers easily.

 

To import the cert and the key, you will need to import it as a PKCS#12, which includes both key and certificate. If you already have OpenSSL, you can use that to create a PKCS#12 file with private key, public key an intermediate and root CA cert:

 

openssl pkcs12 -export -out ${CN}.p12 -inkey ${CN}.key -in ${CN}.crt -certfile intermediate.server.ca.pem -certfile root-ca.pem

There either replace the ${CN} with the filename (without extension); or use the command: export CN=login.mydomain.com; and then run the command if the .key and .crt are named like that.

 

You will be asked for a password during this export, and it should match the password you enter in the WebUI during import.

 

Summarized:

- Don't use a wildcard for the controller WebUI

- If you externally generate your certificate, import cert+key in PKCS#12 format.

 

Hope this helps.

Herman - Wildcard certicates are fully supported for captive portal in controller-based environments.

So I missed the following knowledgebase article on wildcard certificates for captive portal: https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

 

Summary of this article is that the controller will listen for captiveportal-login.<yourdomain.name> for Wildcard certificates. And that works fine with the internal captive portal; and when using ClearPass external captive portal you will need to change your 'Address' in the ClearPass Guest Web login definition to that predefined name. So if you wildcard is *.mydomain.com, ClearPass should use captiveportal-login.mydomain.com.

 

Just wanted to update my statement on wildcards and controllers.

So in your example here, I need the following to create a PKCS12 file:

 

1. private key file generated with CSR (noted as -inkey ${CN}.key)

2. wildcard certificate signed by DigiCert (noted as -in ${CN}.crt)

3. intermediate CA cert (noted as -certfile intermediate.server.ca.pem)

4. root CA cert (noted as -certfile root-ca.pem)

 

it appears I can download the noted intermediate and root certificates via https://www.digicert.com/digicert-root-certificates.htm

 

So I would just submit my CSR, sign it, download the intermediate/root certs, then compile all of the certs + private key into a PKCS12 file for import onto my controllers.  This also includes any passphrase I gave the private key during creation.

 

Thanks for the help in figuring this out.  I'm sure I'm not the only one fumbling through this process right now :)

Patrick,

 

Almost correct; the steps are correct.

 

The passphrase for the private key (I typically don't set one) if set on the key creation will be asked separately during the conversion to pkcs#12; so it will ask the import key which is set on the private key (if any) and the export key that will be set on the p12. You can have them all te same off course..

You should ALWAYS protect your private key with a strong password.

Hi!

 

I'm also using a wildcard certificate from a public CA on the CPPM and the Mobility Controller. The Wildcard certificate I've installed a year ago on the CPPM (where the installation is much more straight forward) and now also installed sucessfully on the Mobility controller  includes all the above described elements - I've installed it as a PEM file and it looks correctly installed to me.

 

The redirection field in the ClearPass Guest Self-Regsitartion template points to: captiveportal-login.ourwildcarddomain.com

 

On the controller I've activated the installed new certificate for Captive Portal use. When I check it with show web-server profile I can see the correct value for the Captive Portal Certificate parameter.

 

The problem is, that the clients are still getting the Certificate warning for 'securelogin. arubanetworks.com'.

 

I've now read tons of articles, user guides and HowTos - what's still going wrong? Do I have to restart or activate anything?

 

The problem with the revoked 'test' certificate 'securelogin.arubanetworks.com' becomes more and more a problem with browsers as a showstopper in now almost all devices.

 

Any ideas?

 

With kind regards

Manfred

 

What is the output of “show datapath fqdn”?

Hi!

 

Today I found the problem - it's not possible to test the URL from the wired side.

 

Our customer says that the redirection now works correctly without the certificate error message when a wireless client comes from the CPPM Selfregistration Portal.

 

So it's solved - thank you!

 

 

The output on the controller for “show datapath fqdn” is:

 

Datapath FQDN Entries
---------------------
captiveportal-login.ourwildcarddomain.com