Wireless Access

I've read through countless posts within this forum in this same topic: how to upload a certificate to an AP and apply it to the captive portal.  Specifically, I'm attempting to upload a self-signed certificate, but continue to receive the error: Unable to Upload Certificate File: The file xxxxx was not uploaded because it is not a properly formatted certificate file. 

That seems clear enough, so I've tried to follow various instructions from similar posts in this forum on how to properly format such a certifcate, but have been unsuccessful thus far to succesfully upload a certificate.  I've succefully uploaded the same certificates I've generated as CA certificate's, but that's obviosuly not helpful.  I've tried uploading pem, crt, cer, all X509, but all fail. 

Here is the general OpenSSL comman that I've been running, in different variations, in an attempt to get this to work:

openssl req -newkey rsa:2048 -nodes -keyout mykey.key -x509 -days 365 -out mycert.crt

I've then combined the key and crt file together, with the cert on top and the key on the bottom, and saved that as a pem.  That doesn't work, unfortunately. 

Here are some details on what I'm working with:

ArubaOS (MODEL: 105), Version 6.4.4.8-4.2.4.9

 I think that's actually all that's needed.  I'd appreciate any thoughts or suggestions and will be prompt in my response!

Are you trying to upload a Captive Portal certificate, or a certificate for Radius Termination?

A captive portal certificate.

I've been trying for hours, but  finally stumbled upon this guide here: https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-replace-the-default-Aruba-SSL-certificate/ta-p/178060.  I was unaware that I actually needed to have a CA signoff on my self-signed cert in order for the ap to accept it for captive portal usage.  I've followed those instructions and was able to succesfully upload the self-signed cert.

If anyone has trouble running the commands listed in the linked guide, there's one minor error (missing capitalization).  I'm posting the corrected series of commands below:

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1825 -key ca.key -out ca.cer
openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.cer -CAkey ca.key -set_serial 01 -out server.cer
openssl rsa -in server.key -out server.key.unsecure
cat server.key.unsecure server.cer > server.pem

I'll be honest....Captive Portal is typically for guests.  If you upload a self-signed cert to a Captive Portal, none of your guests will trust that certificate either.  They will still get an error.  You would have to upload a public certificate that everyone trusts.

A public CA-signed captive portal certificate is required for guest workflows.

Correct.  However, I was trying to address a very specific issue, which I should have led with in my OP, which was to allow Apple-based products to access our guest network.  After some recent iOS updates (I think they were a few months ago, but this issue just fell on my lap recently), users of mobile Apple products would not be allowed to bypass certificate warnings if the warning was for a revoked-certificate.  So, we had a number of users complaining that they could not access the guest network, though they were able to at a previous period of time by simply accepting to continue onto the site, even though the cert wasn't trusted/valid.  I'm not too concerned about that the certs won't be trusted by the guest's devices, but with the new update, they couldn't bypass that warning screen and reach the captive portal at all.  

Eventually, we'll likely get publicly signed certs for the captive portal's, but since I don't own our public DNS, and going through that process would require some internal work, this resolution is the best way back to normal operations.