Wireless Access

Reply
Occasional Contributor II
Posts: 15
Registered: ‎05-04-2012

ServerCert

Hi,

 

If I use the CSR tool in the controller GUI to obtain a ServerCert, can I use this same cert across multiple controllers for dot1x termination?

 

I also read on here that if using the openssl method to generate the CSR, once you get the cert from the CA, you have to chain it with your privatekey before you can upload to the controller. How come chaining of the private key is not needed if using the built in CSR tool in the controller GUI?

 

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-772

 

Thanks,

ckc

Guru Elite
Posts: 21,261
Registered: ‎03-29-2007

Re: ServerCert


ckc527 wrote:

Hi,

 

If I use the CSR tool in the controller GUI to obtain a ServerCert, can I use this same cert across multiple controllers for dot1x termination?

 

I also read on here that if using the openssl method to generate the CSR, once you get the cert from the CA, you have to chain it with your privatekey before you can upload to the controller. How come chaining of the private key is not needed if using the built in CSR tool in the controller GUI?

 

https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-772

 

Thanks,

ckc


You can use it across multiple controllers, yes.

 

Like the article states, you must do chaining if the server certificate was issued from an intermediate CA, because it might not be trusted by your workstations.  That is certainly an advanced topic.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 15
Registered: ‎05-04-2012

Re: ServerCert

Sorry, I'm still new at PKI so need some more clarifications. I'm confused between the two methods of generating a CSR, i.e. via the controller GUI vs. OpenSSL.

 

With the controller GUI, you generate the CSR using the tool, submit it to your CA and upload the cert to the controller.  With OpenSSL, you generate the CSR w/ a private key, submit it to your CA, chain the cert and private key together then upload to the controller. How come the private key need to be chained w/ the cert using OpenSSL method but not with the GUI method?

 

Also, are all the private keys the same on all controllers?

 

Thanks,

ckc

 

 

Guru Elite
Posts: 21,261
Registered: ‎03-29-2007

Re: ServerCert

Okay.

 

Now I understand.

 

The controller does not export the private key, so when you generate the CSR, after you get the server cert, it must match the private key in the controller.  That means you cannot copy the same certificate to multiple controllers when using that method.

 

With OpenSSL, since you have control over the private key, you should be able "technically" to upload it to multiple controllers (as long as you have not generated a CSR with the controller).

 

I apologize for the confusion.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 15
Registered: ‎05-04-2012

Re: ServerCert

Thank you. Now I'm clear on which method I must use.

 

ckc