ArubaOS Default Certificate Revocation FAQ - Instant

By cappalli Unpublished


Frequently Asked Questions for Aruba Support Advisory ARUBA-SA-20160908-01


Certificates are used to validate the identity of a remote user or service like a web site. If you purchase something on eBay for example, there is a certificate in the browser to ensure that you are not giving a rogue entity your credit card number and that the communication between you and the site is encrypted so that nobody can intercept what you are typing.  The controller, MAS and Instant APs have built-in default certificates installed to serve as a placeholder for a permanent certificate, to ensure that you can get up and running quickly when you connect to the management interface, authenticate using 802.1X with termination and authenticate guests using captive portal.  Unfortunately, the same default certificate registered to Aruba Networks is installed on each platform at the factory.   The only way to ensure integrity is to replace those certificates with your own public or private certificate so that your users and their devices know that your organization, and NOT a random entity, is processing or can snoop on your authentication. 


Aruba's user guides urge replacement of the management and Captive Portal certificates to ensure security:


ug-managing certs.png



What prompted this announcement?

  • GeoTrust (the signer and issuer of the Aruba default certificate) revoked the certificate on 9/8/16, due to the private key being compromised.  For controllers, Instant APs and Mobility Access Switches where the default certificate was not replaced, the user's browser either (1) rejected the connection (2) or sent back a mysterious message that the certificate was expired or revoked; this confused users and in some cases browsers refused to display the page.  ArubaOS 8 forces the user to generate a self-signed certificate to sidestep this issue, but ArubaOS 6.5 and below still has a shared default certificate that needs to be replaced by the administrator for Captive Portal, Management Administration and 802.1X termination, if it is being used.


What is a certificate?

  • A certificate is essentially a digital ID card used by individuals, businesses and even devices to identify themselves to others and facilitate things like data encryption between two devices.
    More on certificates
    More on certificates >>

Who uses certificates?

  • Nearly every organization uses digital certificates in some way. The most basic and pervasive use is on the internet to identify the owner of a website and provide data encryption. This is critical when entering sensitive information like credit card numbers and identification numbers or downloading files to your device. The certificate on the web site allows you to verify who you are giving your information to and also provides a framework to ensure that the data is encrypted (scrambled) before it goes out over the internet.
  • You may also use a certificate to prove your identity to a company to access your secured data. An example would be a bank login where you use a digital certificate instead of your password or a certain resource at work which require higher assurance of who you are.

What is the difference between a public, private and self-signed certificate?

  • A public certificate is signed by a public certificate authority after domain, personal identity or business verification. These certificate authorities are pre-installed on most client operating systems like Windows, Mac OS X, Android and iOS. The public CAs follow a strict process when issuing certificates which creates a network of trust between the CA, the operating system vendors (who decide to allow their trust to be added to the OS) and ultimately down to the user.
    More on public certificates >>
  • A private certificate is signed by an internal or private CA that is run by an organization. The Root CA is not trusted by default by client devices and needs to be pushed out to clients via a management tool or manually installed in order for devices to show certificates from this CA as valid.
  • Self-signed certificate: this certificate is generally generated by the local machine/device itself and has no relation to any other certs. It is signed by itself.
    More >>

What is a CSR?

  • A CSR is a certificate signing request. This is an unsigned copy of the public key, generated by an application or operating system in conjunction with a private key and contains information about your organization and also the common name and any subject alternative names that are being requested. This unsigned public key is provided to the certificate authority to validate and sign. The result is a signed public key that can be used with your application/service in combination with the private key.
    More >>

What does it mean when a certificate is revoked?

  • A certificate can be revoked by the owner of the certificate or the certificate authority that issued it. This can be done for many reasons like a service being decommissioned or the security of the certificate being compromised.

How does a browser/device know when a certificate is revoked?

Who is GeoTrust and how are they related?

  • GeoTrust is a popular public certificate authority used by many companies. They are responsible for verifying the identity of a user, domain, email address and/or company to allow for a trust relation between the end user or device and a company or other user.
    More about certificate authorities >>
    More about GeoTrust >>

Where can I learn more about certificates?



Which Aruba products are effected?

  • Aruba Mobility Controllers, Instant Access Points (IAP) and Mobility Access Switches (MAS).

Why was a public certificate included in the first place?

  • In early versions of ArubaOS, a certificate was not included. This resulted in many users having issues getting captive portal working. A publicly-signed default cert was added to ArubaOS to give a working solution out of the box and also provide an example of what was required, a template of sorts. It was also very useful when evaluating Aruba products prior to purchase.

Why is a certificate needed on an Aruba controller/IAP/MAS?

Certificates are used for four different functions:


  1. Web UI security >> The web UI used for management uses a certificate to identify the controller to admin users and is also used to encrypt credentials, keystrokes and other traffic between the browser and the controller/IAP/MAS.
  2. Captive Portal redirection >> In order to redirect users that are visiting an https page, we need a certificate on the controller to intercept the https connection and redirect it to the controller’s web server or an external captive portal.
  3. Captive Portal login >> In most deployments, a user enters their credentials into the captive portal displayed in their browser and then clicks submit or log in. The browser submits the credentials to a special URL on the controller and the controller then checks these credentials via the local database or a RADIUS server. Because these credentials are sent from the client device to the controller, we need a certificate to encrypt the credentials in transit and provide assurance that the controller is valid.
  4. EAP-Termination (optional) >> While a RADIUS server is recommended, in some deployments, the controller may serve as the EAP termination point for things like EAP-PEAP, EAP-TLS and other EAP methods. These require a server side certificate on the controller for the client to validate.

Do I need to use the same certificate for each service?

  • No. Web UI, captive portal and EAP-Termination can all use different certificates and different certificate types (self-signed vs private vs public).

Why was the certificate revoked?

  • Because the certificate was included with each controller, IAP and MAS, it was a part of the software image and the certificate key pair was recently extracted out and compromised. GeoTrust then revoked the certificate, following certificate authority policies around compromised keys.

Can I use the same captive portal and/or EAP-termination certificate across multiple controllers?

  • The technical answer is yes, but you should consult your security team first.
  • If you choose to use the same certificate, use an external server to generate the CSR (openssl on Linux/Windows/Mac OS X/Linux or IIS on Windows for example). If you generate the CSR on the controller, you will not be able to export the key pair for import to another device.


  • The common name can be anything you want (it does not actually have to resolve to a host), but we recommend it be a user-friendly name off your domain as it is briefly displayed on an end-user's device during authentication. An example would be: Do not use

Were any other certificates in the products compromised?

  • Aruba controllers, IAPs and MAS also include a unique factory certificate that is generated during manufacturing. This certificate is issued by a private CA used for trust between Aruba devices for services like Control Plane Security (CPSec) and Aruba Activate. This certificate is unique to the hardware and the private key is stored securely in a hardware trusted platform module (TPM) and remains valid and secure.



What INSTANT AP services use this certificate by default?

  • Captive Portal (splash page for guests)
  • EAP-Termination (used in some situations where a RADIUS server is not available)
  • Note that Instant uses a unique, self-signed certificate for management UI access ( and is not affected by this revocation.

How can I fix this on my Aruba instant aps?

  • A custom certificate needs to be acquired and installed on the IAP VC.
  • Choosing a certificate:
    Self-signed YES1
    (but not recommended,
    see below)
    Privately-signed YES1
    (but not recommended,
    see below)
    Public: standard
    domain cert
    Public: wildcard cert

    YES (version 4.3+)

    NO (prior to 4.3)


    1 – While a self-signed or private certificate can be used for captive portal, it is not recommended as guests will not have the certificate and/or root CA installed and will receive a certificate error.

    2 – When using EAP-Termination with a self-signed certificate, the cert will need to be installed on each client device in order to secure the connection.

    3 – When using EAP-Termination with a privately signed certificate, the private root CA will need to be installed on each client device in order to secure the connection.

    4 – Wildcard certificates will be rejected by many client devices when used as a RADIUS server certificate.

  • Installing the certificate: 


  • The "Apache" certificate package from your CA should contain two certificate files: one with just your public signed cert and the second should contain the intermediate(s) and root certificates. Extract those and drop them in the directory where your private key was generated.
  • Open up a shell window (cmd, terminal, bash), change your directory to the location of the certificate files and run the following commanda, replacing the values between the curley braces:
    cat {private-key-file} > {new-combined-certname}.pem
    cat {public-cert-file} >> {new-combined-certname}.pem
    cat {intermediate-root-ca-file} >> {new-combined-certname}.pem
    Note that this new .pem file is NOT encrypted and should be stored securely.
  • Now that you have your combined PEM file, navigate to Maintenance > Certificates and click Upload New Certificate. Browse to find the new combined .pem file, select which service you're using the cert for, select PEM as the format and then click Upload Certificate.



Is ClearPass affected by this?

  • ClearPass is not directly affected by this advisory but a few configuration tweaks need to be made when the controller/IAP/MAS captive portal certificate is changed.

What changes need to be made in ClearPass?



Jun 29, 2020 10:54 AM

I have several Instant 305 APs with enterprise WPA2 configured using the built-in radius server.  I need to add a valid SSL cert for our clients so they aren't clicking through the self-signed not secure warnings and the same for accessing the virtual management controller.  We do not have a captive portal and the system is not internet accessible via a fqdn.  What can I do certificate-wise if I want to add a cert from a public CA?  I assume the common name on the cert needs to match the host (but the author of this post states that that isn't the case for capitive portal at least).  For example, would I be able to get a cert for and apply to the virtual controller for my instant APs even though that domain name wouldn't resolve to a host?  If not, what are my options?  Thanks!

Jan 23, 2020 05:33 PM

The common name can be whatever you want.

Jan 23, 2020 02:59 PM

In the section about the Common Name field (WHAT COMMON NAME SHOULD BE USED IF THE CAPTIVE PORTAL CERTIFICATE WILL BE USED ON MULTIPLE DEVICES?), the following example is provided for a common name field - Based on other articles that I've read (published in this site) I assumed that the common name for the certificate used for Captive Portal Radius Authentication must have the following format -, where yourdomain is the only variable field. 


Given the IAP traps HTTP POST requests directed to a specific URL this requirement makes sense. But, based on this article, it would seem that the IAP reads the certificate configured for Captive Portal authentication and extracts the Common Name from the certificate. Can you confirm that this is what really happens? Or, does the common name need to begin with securelogin?


Thanks, Robert

Dec 20, 2017 02:18 AM

I had the same issue with an Android device. It's wide-spread as well, but much easier to solve. Here's the guide to fixing the device uncertified issue.

Aug 17, 2017 01:51 AM

thank you. I did look at and they seem like they will be very helpful.

Aug 08, 2017 10:01 PM

Give a try. The $4.99/year cert is all you need.

Aug 08, 2017 09:58 PM

OK, in the absence of any other ideas, I will start at GeoTrust and see if they can help.


Aug 08, 2017 09:32 PM

OK, thanks for weighing in. I understand "create the account" but I have spent hours trying to find some guidance on how to begin or where to begin. Godaddy seems to be mostly for their domain customers and I don't need a credit card processing or banking certificate, Symantec is so huge it is daunting to sort through. I see a link at Symantec which redirects to a customer support page which has a page full of different divisions of the Website Security departmant. My question remains: "Where"? Do I need to call some place by telephone? Is there a web based application process? I know I need to gather information about my identity but then to where will I send it?

I am spending hours in this dialog wondering if anyone who has done this just to simply "fix" the captive portal on IAPs could offer a suggestion or direction such as "here is what I did and this is all it takes to get it done" that I could mimic for my own purposes.

Aug 08, 2017 09:16 PM

You usually literally just create an account, do the domain verification and then upload the CSR. There should be no need to call.

Aug 08, 2017 08:24 PM

thank you.

could you help me find the starting place or suggest someone who could get me started with the requests to Symantec or Comodo? Perhaps I will try to call GoDaddy and see if they can walk me through.

Aug 08, 2017 07:35 PM

You would send the CSR off to your preferred certificate authority. You don't need to write any code. It's standard SSL certificate configuration. You need 1 captive portal certificate across your environment.

Aug 08, 2017 07:15 PM

WHERE do I begin? Whom and how do I send the CSR to? I see Symantec on the list of Certificate Authorities worldwide, but how do I initiate this process? Do I need a separate certificate for each SSID? I administrate 3 sites with 3 or 4 SSIDs each.

I am not fluent in writing code so I need some help. Is there anyone who has done this in the form of a GUI pointing the way with click and respond type input?  Once I get the certificates I think I can get HP Enterprise on a phone call to help me upload but it is very confusing to try to begin this process.

Apr 06, 2017 02:18 PM

This process is incorrrect, we buy another certificate and upload to Aruba Instant and still error certificate,