07-11-2014 02:59 AM
regarding RAP communication with the controller, the RAP can use the factory installed certificate to establish the VPN to the controller, is there a way to change that certificate and user another ? so far i couldn't find any document or option for that but wanted 100% sure answer.
Solved! Go to Solution.
07-11-2014 07:58 AM
No, the certificate authenticatin between the RAP and the controller depends on the factory certificate that is installed to the TPM certificate.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
11-17-2015 03:05 PM
You can replace the RAP factory certifictes - it was a requirement from our security team...
We've imported our org CA cert and have an org signed cert on the controller ( Config / Certificates )
That signed cert is then used for the IKE Server Certificate ( Advanced Services / VPN Services ), we then added the org CA cert to the CA Certificate Assigned for VPN-Clients
After the RAP converted initially, we target rapconsole.arubanetworks.com via a WLAN connection to the RAP ( made a change to the default policy to allow local http console access )
Then on the Certificate tab, we then upload our CA signer cert, generate and sign the CSR on the RAP then after a reboot they associate with the flags R2uE when they connect to the staging controller.
We have a staging controller that still allows the factory cert and our cert for the RAP connectivity, after the RAP's are validated as R2uE we then associate them with one of our Prod Internet facing controllers where the factory certificate has been removed as an IKE Server Certificate ( There is an additional command to remove the factory cert for the IKE Server Cert ( you can't do this in the UI - talk to your SE ))
Though now for us, if you reset the RAP you can no longer use it externally, you have to bring it back in to our bench area to re-associate it with the staging controller and go through the process of getting a new cert, a reset wipes any non factory certs.... Also I believe i've read that there is SCEP in the works to make this a whole lot smoother?
11-17-2015 11:44 PM
As jjscott explains, this can be done. Our company made a guide for a military body that wanted their own certificates.
The procedure is as jjscott describes.
I even think you can store the certificate on a USB stick plugged into your RAP-3 or any other RAP with USB.
This is even more secure as the RAP is completely useless without the USB.
My customer even looked into having USB dongles with a pin on them, for even better security.