Security

Reply
Frequent Contributor I
Posts: 63
Registered: ‎03-17-2016

Wildcard cert creation, import, assignment?

Hi,

 

Per a recent announcement, we would like to stop using the default Aruba certificate for our captive portal and management UI.  Our method going forward is to buy a wildcard certificate for this purpose.

 

Before we determined we wanted to use a wildcarad, I created a CSR on one of our controllers, had it signed by our local CA, and imported it to the controller.  My question for the wildcard cert creation/import/assignment is:

 

Do I have to create a CSR on each individual controller, then have it signed by the wildcard CA?

 

Several other Airheads threads indicate the use of OpenSSL CLI to create/manage these certs, but I was under the impression that a CSR must be generated on the device it will be used on.  Is that wrong?

Wireless newb
Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Wildcard cert creation, import, assignment?

You probably don't want to be using a privately signed cert for captive
portal. All of your users will receive a certificate warning because they
won't have the CA. You may want to consider getting a public wildcard that
can be used across all of your controllers (Please check with your security
team first).

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 63
Registered: ‎03-17-2016

Re: Wildcard cert creation, import, assignment?

Hey Tim,

 

Thanks for the reply.  We have determined a public wildcard cert is what we're going with due to that exact reason.  Does that help clarify what I'm trying to do?

 

Essentially I just need to know whether I need to create a CSR from each individual controller in our environment for signing from our wildcard CA.

Wireless newb
Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Wildcard cert creation, import, assignment?

You're referring your CA. Is that a private or public CA?



If you want to use a certificate across multiple controllers, you need to do
the CSR on an external server like Linux or Windows so you can export the
private key and then import to each controller. If you already have a
wildcard cert with private key, you just need to import it to each
controller.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 63
Registered: ‎03-17-2016

Re: Wildcard cert creation, import, assignment?

This will be a public CA, for example DigiCert.  So if I'm understanding this correctly, I'd need to:

 

1. Create CSR on Linux system with OpenSSL

2. Export CSR to DigiCert for wildcard signing

3. Import signed certificate onto Aruba controllers

4. Assign certificate for use on management UI and captive portal

 

Looking over the certificate management document on Aruba's website and various options via the management UI, I don't see any option to upload a private key.

Wireless newb
MVP
Posts: 467
Registered: ‎11-04-2011

Re: Wildcard cert creation, import, assignment?

Patrick,

 

Don't use a wildcard certificate for your controller UI; specially not if you are using it to redirect or do captive portal authentication. The issue is that the controller will listen (intercept) for authentication on the Common Name (CN) of the installed certificate, which will be *.yourdomain.com, and you cannot point clients to there.

 

Make sure that the certificate installed on the controller has a non-wildcard common-name.

 

Then, I would go indeed for generating the key pair and CSR on a (Linux) system with OpenSSL so you have access to the private key. If you use the controller to generate key and CSR you won't have access to the key and cannot install it on multiple controllers easily.

 

To import the cert and the key, you will need to import it as a PKCS#12, which includes both key and certificate. If you already have OpenSSL, you can use that to create a PKCS#12 file with private key, public key an intermediate and root CA cert:

 

openssl pkcs12 -export -out ${CN}.p12 -inkey ${CN}.key -in ${CN}.crt -certfile intermediate.server.ca.pem -certfile root-ca.pem

There either replace the ${CN} with the filename (without extension); or use the command: export CN=login.mydomain.com; and then run the command if the .key and .crt are named like that.

 

You will be asked for a password during this export, and it should match the password you enter in the WebUI during import.

 

Summarized:

- Don't use a wildcard for the controller WebUI

- If you externally generate your certificate, import cert+key in PKCS#12 format.

 

Hope this helps.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: Wildcard cert creation, import, assignment?

Herman - Wildcard certicates are fully supported for captive portal in controller-based environments.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 467
Registered: ‎11-04-2011

Re: Wildcard cert creation, import, assignment?

So I missed the following knowledgebase article on wildcard certificates for captive portal: https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

 

Summary of this article is that the controller will listen for captiveportal-login.<yourdomain.name> for Wildcard certificates. And that works fine with the internal captive portal; and when using ClearPass external captive portal you will need to change your 'Address' in the ClearPass Guest Web login definition to that predefined name. So if you wildcard is *.mydomain.com, ClearPass should use captiveportal-login.mydomain.com.

 

Just wanted to update my statement on wildcards and controllers.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Frequent Contributor I
Posts: 63
Registered: ‎03-17-2016

Re: Wildcard cert creation, import, assignment?

So in your example here, I need the following to create a PKCS12 file:

 

1. private key file generated with CSR (noted as -inkey ${CN}.key)

2. wildcard certificate signed by DigiCert (noted as -in ${CN}.crt)

3. intermediate CA cert (noted as -certfile intermediate.server.ca.pem)

4. root CA cert (noted as -certfile root-ca.pem)

 

it appears I can download the noted intermediate and root certificates via https://www.digicert.com/digicert-root-certificates.htm

 

So I would just submit my CSR, sign it, download the intermediate/root certs, then compile all of the certs + private key into a PKCS12 file for import onto my controllers.  This also includes any passphrase I gave the private key during creation.

 

Thanks for the help in figuring this out.  I'm sure I'm not the only one fumbling through this process right now :)

Wireless newb
MVP
Posts: 467
Registered: ‎11-04-2011

Re: Wildcard cert creation, import, assignment?

Patrick,

 

Almost correct; the steps are correct.

 

The passphrase for the private key (I typically don't set one) if set on the key creation will be asked separately during the conversion to pkcs#12; so it will ask the import key which is set on the private key (if any) and the export key that will be set on the p12. You can have them all te same off course..

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Search Airheads
Showing results for 
Search instead for 
Did you mean: