For legacy controllers (200, 800, 2400, SC1 and SC2) running ArubaOS version earlier than 18.104.22.168. For non-legacy controllersrunning ArubaOS version earlier than 22.214.171.124. For Mobility Access Switches running MASOS version earlier than 126.96.36.199.
The ArubaOS operating system loaded on all Aruba Mobility Controllers contains a pre-loaded digital certificate with the name “securelogin.arubanetworks.com”. This certificate was issued by a public certificate authority (CA) that is trusted by most browsers and operating systems.
By default the certificate is used for the controller’s management interface (WebUI), captive portal, and EAP termination. This certificate is intended for quickly setting up lab networks, demonstrations, and proof-of-concept deployments. As stated in the user guide, the default certificate is not intended for production deployment,
On November 21, 2013, this built-in certificate in older releases of ArubaOS would expire.
Aruba Networks recommends the following two options, in order of preference, to replace the default certificate installed on the controllers.
Option 1: Replace the default certificate with a certificate issued by an internal certificate authority or a public certificate authority. *This option provides the greatest security*.
Option 2: Upgrade ArubaOS software
On Mobility Controllers running :
- 188.8.131.52 and earlier – upgrade to ArubaOS 184.108.40.206 or later
- 220.127.116.11 and earlier – upgrade to ArubaOS 18.104.22.168 or later
On Mobility Access Switches running :
- 22.214.171.124 and earlier – upgrade to ArubaOS 126.96.36.199 (available Oct 30, 2013)
For legacy controllers (200, 800, 2400, SC1 and SC2) running ArubaOS 5.0 releases it is no longer possible to get a trusted certificate as these release only support 1024-bit and as of today all the trusted certificate-authorities require 2048-bit keys as a minimum to issue certificates that are trusted by most browsers.
These controllers can be upgraded to ArubaOS 188.8.131.52 build that includes a self-signed certificate (so, no longer trusted) and changes need to be done on client-end to accept the self-signed certificate.
The default "Server Certificate" in older ArubaOS releases installed on your Mobility Controllers and Mobility Access Switches will expire on November 21, 2013.
- Aruba 800 Controller need to be upgraded to ArubaOS 184.108.40.206 to obtain a self-signed certificate with 2017 as expiry.
- Controller running 3.x FIPS code version can be upgrade to ArubaOS 220.127.116.11 –FIPS to get the certificate validity till 2017.
Below link takes to the related Youtube video which helps to determine if the default certificate is being used for controller’s management interface (WebUI), captive portal, and EAP termination:
To get the official document, visit Aruba support site and click on the "Announcement" as shown in the following image: