How do I generate, install, and manage a certificate for the controller?

By arunhasan1 posted Aug 07, 2014 11:06 AM


Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x.


To generate, install, and manage a certificate for the controller, follow these steps:


1)   Generate the CSR on the controller.


Fill all the fields for the CSR information. Ensure that you do not use abbreviations for State/Province. Some Certificate Authorities (such as, VeriSign) do not accept abbreviations of this field. Click Generate New.


2)   Click View Current to view the CSR.


3)   Copy the text from "-----BEGIN CERTIFICATE REQUEST-----" to "-----END CERTIFICATE REQUEST-----" (including these two lines as well).


This text will be send to your preferred certificate authority (CA). You can also saved it using any text editor and send it to your CA as an attachment.


4)   The following are the preferred cetificate options:

  •  Server-type: Apache
  •  Purpose: Web Server
  •  Type: PEM


5)   After you submit the CSR to the CA, the CA will provide the signed copy of the certificate, and you can now upload the signed certificate to the controller using the Web management interface.


6)   You can use the new certificate loaded for captive portal authentication, WebUI Management Authentication, or 802.1x termination. The following screens illustrate the options available on the management user interface.


Certificates could be signed by an intermediate CA, which may not be trusted by the stations. In this case, you will need to chain the certificate before uploading it to the controller. Obtain the intermediate CA certificate from your CA in PEM format or else you must convert the certificate using a tool like openSSL.


To chain the certificate, append the intermediate CA certificate into the signed server certificate provided by your CA using any text editor, save the file, and follow step 5 to upload the chained certificate to the controller.


1 view


Sep 26, 2016 11:52 AM

It just needs to be copied to the flash root.

If you temporarily disable OCSP/CRL checks in your browser, you will be able to access the UI.

Sep 26, 2016 11:46 AM

Customer claims all browsers refuse to load the page, saying "certificate revoked".

The documentation lists multiple locations for certificates.


Which directory do I upload the generated certificate to?






or just /flash/???


Sep 26, 2016 11:35 AM

You can use an alternative browser or disable OCSP/CRL checks temporarily to access the UI.

Instructions on adding a cert via the CLi are provided in the user guide.

Sep 26, 2016 11:30 AM

That's fine for WebUI, but what happens when the WebUI is locked out due to a revoked certificate?  They can only access the CLI.  The documentation just brushes over that part:  

In the CLI

Use the following command to import CSR certificates:

crypto pki-import {der|pem|pfx|pkcs12|pkcs7} {PublicCert|ServerCert|TrustedCA} <name>

The following example imports a server certificate named cert_20 in DER format:
crypto pki-import der ServerCert cert_20


The crucial step missing is where to upload the certificate via the CLI.  what's the TFTP command to do that?


Jan 27, 2015 03:08 PM

Configuration > Certificates > Upload

Jan 27, 2015 03:06 PM

You only explained how to generate the CSR. How do you upload the signed certificate back into the controller