CPSec Switch-Cert and Factory-Cert



We are currently installing a new WLAN for a large public customer with 2500+ APs. Controle plane security is enabled and we have observed that some APs are provisioned with "factory-cert" and some are using the "switch-cert".


My understanding is, if the AP is coming with a pre-installed factory certificate this will be used for CPsec, if it is coming without the switch certificate is installed.


Now the customer has concerns that the factory-cert may be less secure than the switch-cert.


Therefore my question, what is the factory-cert? Is it a default one which is used for all APs or is it an individual certificate for every AP?


If it is a default certificate, which would be less secure, is there a way to delete it from the AP to force the installation of the switch certificates?


Re: CPSec Switch-Cert and Factory-Cert

The "factory-cert" is unique to each AP and stored on the TPM chip of the AP.   When using control plane security, this is typically the certificate used to identify/authorize the AP.    APs without a TPM chip will typically be issued a "switch-cert" from the controller.


Below is an example of a factory cert on an AP-225 TPM.   The CN (Common Name) is unique to the serial number/MAC Address of the AP (altered below).


Version :3
Serial Number :33:5B:2B:7E:00:00:00:51:BC:60
Issuer :/UID=com/UID=arubanetworks/UID=dc-device-ca5/CN=device-ca5
Subject :/CN=CT078XXXX::84:d4:7e:XX:XX:XX
Issued On :Nov 12 05:23:28 2015 GMT
Expires On :Sep 14 03:21:14 2032 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits

Re: CPSec Switch-Cert and Factory-Cert



Thanks very much for the answer, I was not able to find that information anywhere else!


So I can convince the customer that the factory-cert is secure and we don't need to worry about that!


Thanks again!



