Wireless Access

Reply
Moderator

Re: Certificate - "securelogin.arubanetworks.com"

Also, note that Aruba Instant contains a factory default certificate as well, which has the CN of "instant.arubanetworks.com".  Same story - you shouldn't be using this certificate in a production network.  This one, at least, is a self-signed certificate so hopefully nobody ever got the idea that it was providing any security.  But every Instant AP includes the same self-signed certificate, so unlike what you can do with ArubaOS 8.0, you definitely cannot trust this certificate.

---
Jon Green, ACMX, CISSP
Security Guy
Frequent Contributor II

Re: Certificate - "securelogin.arubanetworks.com"

I had not seen this news and our controller (Aruba OS 6.3.1.22) was still using the default certificate. Now that certificate seems to suddenly have been revoked since today or so? Causing a lot of trouble now. (can't download VIA profile any longer? All VIA-clients always seem to think they're on a un-trusted network, even though it's on a trusted network?) How can I fix this the quickest? Do I need to purchase a certificate etc.?

 

Apparently a non-valid certificate for the domain name was okay for things to work normally, but a revoked certificate is not okay? Does that mean re-uploading a new non-valid certificate should make things work? Of course, it's better to upload a valid certificate I guess. But just wondering.

 

Also, I'm wondering if RAPs will continue to be able to connect. So far so good....

Guru Elite

Re: Certificate - "securelogin.arubanetworks.com"

You would get a basic SSL web server certificate for your controllers.



Also, this would not affect RAPs.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Moderator

Re: Certificate - "securelogin.arubanetworks.com"

  1. Visit https://www.ssls.com/
  2. Scroll down to "PositiveSSL" (the one that says $4.99/year)
  3. Click the shopping cart button.
  4. Pay some money

 

Now you paid for a cert - next you need to actually obtain it.

 

  1. If you have just one controller, open the WebUI, go to Configuration->Certificates->CSR.  Set the key length to 2048.  Put your controller's hostname into the Common Name field.  Fill out the rest of the information.  Click "Generate New".  Click "View Current".  Copy and paste this into the www.ssls.com page where it asks you for your CSR.  Skip to step 3.
  2. If you have multiple controllers and want to use the same certificate on all of them (note:  not recommended from a best security practice standpoint), you can't use the ArubaOS CSR-generation routine described in step 1, because you won't (easily) get your private key back.  For this, you need a computer with OpenSSL on it.  There are a number of tutorials online that tell you how to generate keypairs and CSRs using OpenSSL - follow one of them.  Once you get a CSR, paste it into the www.ssls.com page where it asks for your CSR.  
  3. Go through the verification process.  
  4. Obtain cert in email.
  5. If you generated your CSR on the controller (step 1), upload the certificate back to the WebUI with Management->Certificates->Upload.  Set the cert type to "Server Certificate".  You are done.
  6. If you generated your CSR with OpenSSL (step 2), when you get the certificate, you need to recombine it with the private key that OpenSSL will save to disk, and then that complete package needs to be uploaded to your controllers.  The easiest way is to dump the certificate, the certificate chain (this includes the intermediate CAs), and the private key into a text file.  I am over-simplifying this - but there are many how-tos online.  Make sure you don't leave that text file laying around somewhere that other people can get it.  

If browsers still complain about your new cert not being trusted, and you think you did everything correctly, the most likely problem is the certificate chain.  You need to combine the server certificate AND the intermediate CA certificates (all of this will be emailed to you) into a single file, which you upload to the controller.

 

All told - this is too complicated, and requires you to know too much about certificates, cert chains, certificate file types, etc.  It's the result of letting security engineers design this part of the software.  I've made some suggestions internally for how to make this easier.

 

If all of this sounds like too much of a pain, go to https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/ (or even http://www.selfsignedcertificate.com/, though I haven't tried this myself) and create yourself a self-signed certificate.  Upload it to the controller.  The first time you use it, tell your browser to show you the certificate, and "install" it - you're telling your browser to remember this certificate so that the next time you use it, it will be trusted.  It's not the best security approach, but it will get the job done.

---
Jon Green, ACMX, CISSP
Security Guy
Frequent Contributor II

Re: Certificate - "securelogin.arubanetworks.com"

Thanks. I think I might also have to change Management/General and then WebUI Management Authentication Method/Server Certificate ?
Moderator

Re: Certificate - "securelogin.arubanetworks.com"


eriknl2 wrote:
Thanks. I think I might also have to change Management/General and then WebUI Management Authentication Method/Server Certificate ?

Yes.  Sorry I forgot to mention that.


If you're using captive portal, you'll also want to change it there.

---
Jon Green, ACMX, CISSP
Security Guy

Re: Certificate - "securelogin.arubanetworks.com"

Had the same issue, revoked cert, VIA client couldn't download profiles. Swapped the revoked cert with our own trusted cert for the vpn. Issue we're having now is that I assume the same revoked cert was also used on the APs, AirWave, Controller because we can no longer access those sites. We don't even get an invalid cert prompt in the browser, it is just inaccessible. 

Re: Certificate - "securelogin.arubanetworks.com"

Everyone, it was found that the current certificate in ArubaOS and Aruba Instant (serial number 01 da 52) has been revoked by the Certificate Authority.

 

Unfortunately, that means that unless you followed the advice up this thread and in the bulletins, and moved to your own SSL certificate, you may be in a situation where you cannot connect to your controller anymore.

 

Google Chrome is supposed not to do CRL checking, so using another browser may fix the issue. I signaled internally in Aruba the revocation, so probably things will start happening now.

 

In the meantime: change your controller and IAP certificates as soon as possible and use your own certificates as you web browser may keep you out of your controller or IAP.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

Re: Certificate - "securelogin.arubanetworks.com"

How can I change my controller certificates if I can't access my controller?

Re: Certificate - "securelogin.arubanetworks.com"

Jesse,

 

Probably the easiest way is to use a browser that doesn't check revocation or where you can override the CRL check.

 

You can also import the certificate through the CLI: http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Content/ArubaFrameStyles/Management_Utilities/Managing_Certificates.htm , and then configure it like:

 

web-server profile
   switch-cert "my-certificate-2016"
   captive-portal-cert "my-certificate-2016"

Also contact your Aruba partners or Aruba TAC if you have issues.

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: