Wireless Access

Reply
Frequent Contributor I
Posts: 91
Registered: ‎08-10-2015

Captive Portal Not using my Known CA Cert

I have a 3400 pair of controllers in HA.  I am trying to install my known CA issued server cert and I'm running into some issues.

 

Note: based on some of my other installs on standalone controllers, I have appended the intermediate cert and the root CA to the server cert and also uploaded the intermediate and root CA to the controller individually.  This was required to make things work before on other controllers.

 

Once everything was uploaded, I went to admin > general and chose my new cert in the drop down for captive portal.  The webserver restarted and everything was good, but the captive portal is still serving the securelogin.arubanetworks.com cert.

 

I went to the standby node and noticed that the certs weren't there.  I tried to upload the server cert there, but I get this:

 

Error Uploading Certificate: Cert missing private key and failed to find a key generated from a CSR request in the system to match it

 

The same cert uploaded fine on the primary box.

 

Can anyone point me in the right direction to correct this?

 

Thanks!

 

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Captive Portal Not using my Known CA Cert

Did you create the CSR on the primary box?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 91
Registered: ‎08-10-2015

Re: Captive Portal Not using my Known CA Cert

[ Edited ]

Edit: WAIT - sorry, yest I did.  It was months ago and the guy who buys our certs just finally sent the cert.

Frequent Contributor I
Posts: 91
Registered: ‎08-10-2015

Re: Captive Portal Not using my Known CA Cert

Can I use the same cert on the second box, or do I need to do a new CSR and get a new cert?

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Captive Portal Not using my Known CA Cert

So you have a p12/pfx file with the public and private keys?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Captive Portal Not using my Known CA Cert

You need to do the CSR external (digicert tool, open SSH, etc) to the controller, then export it with private key, then import to each controller.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Captive Portal Not using my Known CA Cert

Use the same cert on each box. Use something generic as the CN, like network-login.domain.xyz. You'll need to do the CSR on an external box, then export the public key with the private key. You can then import it to each controller.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 91
Registered: ‎08-10-2015

Re: Captive Portal Not using my Known CA Cert

Is there no way to copy the CSR from the primary box to the other node via command line or anything?

Frequent Contributor I
Posts: 91
Registered: ‎08-10-2015

Re: Captive Portal Not using my Known CA Cert

The name is good since we're using the hostname of the VIP and that's where captive portal redirects the users when either node is active.

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Captive Portal Not using my Known CA Cert

No, you cannot export the private key from the controller. Also, just an FYI, the name of the cert does not need to match a DNS entry for the controller captive portal.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: