Wired Networks

Built-in certificate in older releases of ArubaOS expires on 21st Nov, 2013

For legacy controllers (200, 800, 2400, SC1 and SC2) running ArubaOS version earlier than 5.0.4.13. For non-legacy controllersrunning ArubaOS version earlier than 6.1.3.9. For Mobility Access Switches running MASOS version earlier than 7.2.3.1.

 

The ArubaOS operating system loaded on all Aruba Mobility Controllers contains a pre-loaded digital certificate with the name “securelogin.arubanetworks.com”. This certificate was issued by a public certificate authority (CA) that is trusted by most browsers and operating systems.

By default the certificate is used for the controller’s management interface (WebUI), captive portal, and EAP termination. This certificate is intended for quickly setting up lab networks, demonstrations, and proof-of-concept deployments. As stated in the user guide, the default certificate is not intended for production deployment,

On November 21, 2013, this built-in certificate in older releases of ArubaOS would expire.

Aruba Networks recommends the following two options, in order of preference, to replace the default certificate installed on the controllers.

Option 1: Replace the default certificate with a certificate issued by an internal certificate authority or a public certificate authority. *This option provides the greatest security*.

Option 2: Upgrade ArubaOS software

On Mobility Controllers running :
 

  • 6.1.3.8 and earlier – upgrade to ArubaOS 6.1.3.9 or later
  • 5.0.4.12 and earlier – upgrade to ArubaOS 5.0.4.13 or later


On Mobility Access Switches running :
 

  • 7.2.3.0 and earlier – upgrade to ArubaOS 7.2.3.1 (available Oct 30, 2013)

 

For legacy controllers (200, 800, 2400, SC1 and SC2)  running ArubaOS 5.0 releases it is no longer possible to get a trusted certificate as these release only support 1024-bit  and as of today all the trusted certificate-authorities require 2048-bit keys as a minimum to issue certificates that are trusted by most browsers.

These controllers can be upgraded to ArubaOS 5.0.4.13 build that includes a self-signed certificate (so, no longer trusted) and changes need to be done on client-end to accept the self-signed certificate.
The default "Server Certificate" in older ArubaOS releases installed on your Mobility Controllers and Mobility Access Switches will expire on November 21, 2013.


NOTE:
 

  • Aruba 800 Controller need to be upgraded to ArubaOS 5.0.4.14 to obtain a self-signed certificate with 2017 as expiry.
  • Controller running 3.x FIPS code version can be upgrade to ArubaOS 3.4.5.2 –FIPS to get the certificate validity till 2017.

 

Below link takes to the related Youtube video which helps to determine if the default certificate is being used for controller’s management interface (WebUI), captive portal, and EAP termination:

 

 

http://youtube.com/watch?v=aIrMqgiI82M



 





To get the official document, visit Aruba support site and click on the "Announcement" as shown in the following image:

 

 rtaImage.jpg

 

Version history
Revision #:
2 of 2
Last update:
‎06-25-2014 03:09 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.