Wireless Access

Reply
Occasional Contributor I

CPSec Switch-Cert and Factory-Cert

Hi!

 

We are currently installing a new WLAN for a large public customer with 2500+ APs. Controle plane security is enabled and we have observed that some APs are provisioned with "factory-cert" and some are using the "switch-cert".

 

My understanding is, if the AP is coming with a pre-installed factory certificate this will be used for CPsec, if it is coming without the switch certificate is installed.

 

Now the customer has concerns that the factory-cert may be less secure than the switch-cert.

 

Therefore my question, what is the factory-cert? Is it a default one which is used for all APs or is it an individual certificate for every AP?

 

If it is a default certificate, which would be less secure, is there a way to delete it from the AP to force the installation of the switch certificates?

 

Thanks a lot for every answer!

 

Best regards

 

Markus

Aruba

Re: CPSec Switch-Cert and Factory-Cert

The "factory-cert" is unique to each AP and stored on the TPM chip of the AP.   When using control plane security, this is typically the certificate used to identify/authorize the AP.    APs without a TPM chip will typically be issued a "switch-cert" from the controller.

 

Below is an example of a factory cert on an AP-225 TPM.   The CN (Common Name) is unique to the serial number/MAC Address of the AP (altered below).

 

Version :3
Serial Number :33:5B:2B:7E:00:00:00:51:BC:60
Issuer :/UID=com/UID=arubanetworks/UID=dc-device-ca5/CN=device-ca5
Subject :/CN=CT078XXXX::84:d4:7e:XX:XX:XX
Issued On :Nov 12 05:23:28 2015 GMT
Expires On :Sep 14 03:21:14 2032 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor I

Re: CPSec Switch-Cert and Factory-Cert

Hi!

 

Thanks very much for the answer, I was not able to find that information anywhere else!

 

So I can convince the customer that the factory-cert is secure and we don't need to worry about that!

 

Thanks again!

 

Markus

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: