Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

[Tutorial] How to replace SSL certificate.

This thread has been viewed 12 times

  • 1.  [Tutorial] How to replace SSL certificate.

    Posted Nov 13, 2013 01:26 AM

    Hi,

     

    Just wanted to write this tutorial since it's a very current issue. (BTW I get nothing from Godaddy :) )

     

    This tutorial is called "How to replace Captive Portal SSL certificate and get NO invalid certificate complains from browser"

    Generate certificate request using linux and command line (DON'T generate CSR request on your controller, It's just simply not needed)

     

    openssl req -nodes -newkey rsa:2048 -keyout securelogin.mycompany.com.key -out securelogin.mycompany.com.csr

     

    You will be asked few things like country, company name and such. After you're done you have created CSR file and KEY file.

    Go to godaddy.com and login (or create a login if not existing) and choose "Products > SSL&Security > Standard SSL > Single domain, I recommend to take at least 3 years for about 200€ Inc. Taxes. And you can use this same certificate on multiple controllers with no extra costs!

    Now at certificate manage site you will be asked CSR so copy paste CONTENT of your csr file you just created.
    It looks like this (Include everything)

     

    -----BEGIN CERTIFICATE-----
    MIIFQzCCBCugAwIBAgIHTs5BapD22TANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UE
    BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
    BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMu
    Z29kYWRkeS5jb20vcmVwb3NpdG9yeS8xMzAxBgNVBAMTKkdvIERhZGR5IFNlY3Vy
    ZSBDZXJ0aWZpY2F0ZSBBdXRrocknrollLSBHMjAeFw0xMzExMTEyMzA5MThaFw0x
    NjExMTEyMzA5MThaMEQxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRl
    ZDEfMB0GA1UEAxMWc2VjdXJlbG9naW4ubGVtY29uLmNvbTCCASIwDQYJKoZIhvcN
    AQEBBQADggEPADCCAQoCggEBAKNCpYLODk3E53IhQbleutsLUu3YW89DmK2LAvY5
    a9hV7s/KiuSvn/QicBm07h4pEk/2OrbHduweS/ZR3LakS/PDLhgQQRzkECboZ4/s
    bd9tUrkVxxn5le+TlULsZ7W4D/3gS7RzHLeKDyzuSFSFSEFESFxQHo6tHeNnxcvW
    FhdCG9sPz9ghERpWFxRmX9B/XxHfKAi4LZpsKuNXWY8bd07NU3TYaXcH1fG2J3fPJR
    vFfMvRGmng0gghjäkölkflökölfklökfölhkölfkghlöfgkhölkOGumyMf0gKzJXMnPK7/igghjgjhjghjg

    ghjghjhgjjhjghjGPWH0WdhjTaoKDUgy8vSxXzUqgwAQSyGHsCAwEAAaOCAccwggHD
    MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
    MA4GA1UdDwEB/wQEAwIFoDA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vY3JsLmdv
    ZGFkZHkuY29tL2dkaWcyczEtNS5jcmwwUwYDVR0gBEwwSjBIBgtghkgBhv1tAQcX
    ATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29t
    L3JlcG9zaXRvcnkvMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0cDov
    L29jc3AuZ29kYWRkeS5jb20vMEAGCCsGAQUFBzAChjRodHRwOi8vY2VydGlmaWNh
    dGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaA
    jkhsdfhsdfui86aehihihIO/()ER&EyruhiuEHRh0897Y(gr8R8Gg(er)GGUGUGD
    -----END CERTIFICATE-----

     

    Choose SHA2 and 2048Bits, leave everything else like it is.

     

    Next thing is to validate your certificate request and for that you have few options.

    1. Request approval to your domains admins email (You'll get an approval email with approve link)

      you can check what is your domain admins email address on WHOIS database from here http://whois.domaintools.com

     

    OR


    2. Add an text string given you by godaddy to your website, and some Godaddy robot will check that the text string can really be found from you website.

     

    Method 1 is faster, I got my certificate in just 3-4 hours from my request.

    When you certificate is approved and generated you'll get an download link or you can login to your Godaddy acoount and download it, When you are downloding you'll be asked to choose server type, just choose "other" and download.

     

    In the download package you get 2 files:

     

    One is some numbers and letters.crt (example 65jheh96798.crt) and other is gd_bundle-2g.crt

    You need to compine these two certificates, so open up 65jheh96798.crt and paste the WHOLE CONTENT of gd_bundle-g2.crt right after -----END CERTIFICATE-----

     

    Now go back to linux, upload these two file on same location you have CSR and KEY file and run command

     

    openssl pkcs12 -export -out securelogin.mycompany.com.pfx -inkey securelogin.mycompany.com.key -in 65jheh96798.crt -certfile 65jheh96798.crt

    Password will be asked during generate progess, just type whatever password you want.

     

    You have now successfully generated your pfx certificate called securelogin.mycompany.com.pfx, upload that you your computer.

     

    Next thing is to upload certificate to your controller, so login to your controller / controllers and upload certificate Configuration > Certificates >

    Give a name to your certificate and choose your .pfx file

    Type in your certificates password

    Format pfx

    Certificate type Server cert

     

    Now start using your new certificate and go to General and choose Captiveportal certificate as your new certificate and you're done.

    If you are using external captive portal remember to change HTML code part from:

    <form method="post" autocomplete="off" action="https://securelogin.arubanetworks.com/auth/index.html/u" onsubmit="return checkFormValues(this);">

     

    to

     

    <form method="post" autocomplete="off" action="https://securelogin.mycompany.com/auth/index.html/u" onsubmit="return checkFormValues(this);">

     

     

    You're done!

     

    Best of luck.

     

    BR, Joakim R.



  • 2.  RE: [Tutorial] How to replace SSL certificate.

    Posted Oct 07, 2016 03:25 PM

    Hey, I am new to Aruba, just landed into at this new job. I see that in ArubaInstant that I can't generate a CSR, so what you are saying is that it is completely ok to run the CSR off of some random linux box and it will still be able to pickup the cert and work? I just want to clarify before I jump in and buy a cert.



  • 3.  RE: [Tutorial] How to replace SSL certificate.

    EMPLOYEE


  • 4.  RE: [Tutorial] How to replace SSL certificate.

    Posted Oct 11, 2016 12:44 PM

    This is exactly what I was trying to find. Thanks so much!



  • 5.  RE: [Tutorial] How to replace SSL certificate.

    Posted Oct 18, 2017 06:57 AM

    Hi,

    We use Aruba Controller with NPS. Our default geotrust ssl sertificate expired two months ago. After that, We uploaded Comodo 3months trial ssl certificate with .crt. This SSL certificate was generated with Aruba CSR. We had no problem on 802.1x authenticaion on clients. After 3 months later, We decided to get multidomain wildcard certificate from Comodo, but we generated CSR request file from another server. After that We tried to upload ssl sertificate as PFX extension, but this certificate was not available to clients. When we tried to upload as .crt extension, we got an error as CSR mismatch (because csr is generated on another server). How can we solve this problem or can you give an advice about this situation.

    Thanks.

     



  • 6.  RE: [Tutorial] How to replace SSL certificate.

    EMPLOYEE
    Posted Oct 18, 2017 09:06 AM

    Is this for the EAP server certificate or captive portal certificate? It's not clear.



  • 7.  RE: [Tutorial] How to replace SSL certificate.

    Posted Oct 18, 2017 10:38 AM
    Our certificate is eap server certificate.