Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Multiple Controllers, One CA Certificate

This thread has been viewed 2 times

  • 1.  Multiple Controllers, One CA Certificate

    Posted Mar 09, 2012 02:29 PM

    Hi everyone,

     

    I hope you can help me with this issue...

     

    I have 6 Controllers over the network, and I have only one VeriSign certificate who is working right (this is working in Captive Portal), I want to deploy the same certificate in the other controllers, but when I try to upload it , the "Error Uploading Certificate: Cert public key did not match the private key in the CSR store" message error apears..

     

    How can I do that?

     

    Thanks

     

     



  • 2.  RE: Multiple Controllers, One CA Certificate

    Posted Mar 09, 2012 03:29 PM

    When you generate a CSR (certificate signing request) on a controller, a private key and a public key are generated. The private key is local to the controller and it is the public key that is sent to verisign for signature. When you load this certificate on another controller,it wont have the private key pair for this certificate and this is the reason you see this error.  If you have 6 controllers you will need seperate certificates.

     

    Note: Remeber the certificate comman name is matched to the domain name of the controller. So if the certificate comman name is x.company.com you should login to x.company.com to eliminate the certificate warning message seen on user browser. If you login to the controller with its IP instead of x.company.com you will still see the warning. If your purpose is to eliminate the certificate warning message seen on user browser you will need seperate certificates.

     

     



  • 3.  RE: Multiple Controllers, One CA Certificate

    Posted Mar 16, 2012 10:46 AM

    On one occation I have generated a new certificate for the same domain name using a different CSR. If Verisign allows that you should be able to follow the procedure below.

     

    This is cut from a previous post by Jon Greene

     

    My advice would be that you NOT generate the CSR on the controller, because we specifically make it very difficult (if not  impossible) to get the private key off the controller.
If you want to use the same certificate on multiple controllers, I would suggest following this workflow:

1. Find a Unix box with OpenSSL on it
2. Generate the private key
3. Generate the CSR, using your desired hostname as the CN
4. Get the certificate from the CA
5. Put the certificate and private key back together as a PFX / PKCS#12 file, which will be password protected
6. Load the resulting file on all your controllers

There are lots of resources online to tell you how to do these common OpenSSL operations.  The one I typically refer to is here: 
http://www.sslshopper.com/article-most-common-openssl-commands.html.

I'll cut and paste the important bits:

* Generate a new private key and Certificate Signing Request
 * openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

* Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
 * openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

---
Jon Green, ACMX, CISSP
Product Manager, Security
Aruba Networks