Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

how to apply a public cert to correct the default cert expiry issue on the wireless controller%3F

This thread has been viewed 1 times

  • 1.  how to apply a public cert to correct the default cert expiry issue on the wireless controller%3F

    Posted Dec 17, 2013 10:26 PM

    I am looking for some help.

    I am trying to upload a Unique certificate to correct the Default Certificate expiry on an Aruba650 wireless controller. The controller is used as part of a Guest network, and while it does not host the Captive Portal page, it handles the redirection as the ClearPass (Amigopod) server we have hosts the Captive Potal login page.

    I have uploaded our certificate "wireless-controller.ourdomain.com" which we have had signed by a Public CA (Verisign). The certificate uploads successfully when uloading with Certificate type "Public Certificate", however I am not able to select my uploaded certificate to be used as the Captive Portal Certificate.

     

    In our use case, Guest Users are experiencing the Certificate Error after they have successfully entered their credentials on the ClearPass (Amigopod) Captive Portal page, and are in the process of being re-directed to the default landing page. They see the error appear for "securelogin.arubanetworks.com" hosted by the wireless controller, for which the default certificate was valid.

     

    Any assistance is greatly appreciated.



  • 2.  RE: how to apply a public cert to correct the default cert expiry issue on the wireless controller%3F

    EMPLOYEE
    Posted Dec 18, 2013 03:00 AM

    In Amigopod, change your NAS-IP to wireless-controller.ourdomain.com. Then the controller, seeing that you are asking for it's own webpage, will spoof the DNS name and take care of the login.

     

    Regards



  • 3.  RE: how to apply a public cert to correct the default cert expiry issue on the wireless controller%3F

    Posted Dec 18, 2013 04:55 AM

    Hey Surjeet,

    Here is the process to generate/import a public cert, when wanting to use a single public cert across multiple controllers. This is to replace the default cert (securelogin), and allows you to deploy this cert on multiple controllers, as DNS resoution is not required (DNS is spoofed by the controller, based on the cert CN, as per Sam's response).

     

    ----

    Requirements:

    · Certificate needs to be in PEM 509 format.

    · cn name must be the captive portal URL (e.g. securelogin.domainname.com)

     

    Steps:

    1. Generate the desired server private key: openssl genrsa -des3 -out server.key 1024
    2. Generate the desired server cert request: openssl req -new -key server.key -out server.csr
    3. Send .csr to your favorite CA
    4. Make the server private key unsecure (unencrypted with no password): openssl rsa -in server.key -out server.key.unsecure
    5. Combine the server cert (received from your CA) and its private key into a .pem file: cat server.key.unsecure server.cer > server.pem
    6. Upload the file: Maintenance->Captive Portal->Upload Certificate
    ------

     

    Regards,

      Raphael