Creating and Installing a Captive Portal Certificate on Instant from a Public CA
Due to the Advisory here: https://community.arubanetworks.com/t5/Controller-less-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Instant/ta-p/275814 all users should be uploading either a self-signed or CA certificate on instant. Below are instructions for a public CA. Please keep in mind that instant does not have a facility to create a CSR or certificate signing request that is needed for a CA, so you have to create your own using OpenSSL. Open SSL can be downloaded here: https://wiki.openssl.org/index.php/Binaries
Create a CSR to submit to your Certificate Authority by typing the following on the commandline:
openssl req -newkey rsa:2048 -keyout privatekey.key -out mycsrfile.csr
You should see the following happen:
Generating a 2048 bit RSA private key
writing new private key to 'privatekey.key'
Enter PEM pass phrase: [Enter private key passphrase twice. You will need it later, so remember it!]
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) :NY
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company
Organizational Unit Name (eg, section) :IT
Common Name (e.g. server FQDN or YOUR name) :instant.mydomain.com
[instant.mydomain.com will be the fqdn of your server certificate]
Email Address :firstname.lastname@example.org
Please enter the following 'extra' attributes
to be sent with your certificate request [optional….can be skipped]
A challenge password :
An optional company name :
In the same directory, you should find two files:
Upload or copy and paste the contents of the mycsrfile.csr to the certificate authority when it asks you to. After you do that certificate authority will either allow you to download or will email you two files:
To put it into the proper format, you need to open the two text files the CA gives you back, along with the privatekey.key file in a text editor. Also, create a new blank text file that you will be copying and pasting all of the files into:
Using a text editor, Copy and paste the contents of the three files in this order into a blank text editor page:
It should look something like this:
Save the text file with a .pem extension as instant-server-cert.pem
Login to your Instant controller and the go to Maintenance> Certificates and click on Upload New Certificate:
For Certificate Type, choose Captive Portal Server. For Certificate format, choose PAM. Click on Browse to browse to your instant-server-cert.pem file. Type in the passphrase that you chose when you ran the open SSL command above twice. Click on upload certificate.
The instant controller GUI will be unavailable for up to 60 seconds. Wait, and then refresh the page. You should be able to inspect your SSL certificate in the browser when the GUI returns.
After looking through this and the linked similar case, it's actually simple but very non-standard.
1. create a file that combines the cert and the private key (non-encrypted, which is typical):
cat put-your-cert-here.pem put-your-private-key-here.pem > aruba.pem
2. Upload that. Wait a while (a long while if it's a 4096 bit cert).
We had the same issue as @maulerma above, where we had the private key header as "-----BEGIN ENCRYPTED PRIVATE KEY-----". I believe this PKCS#8 format, which the IAP seems to cough on. (We got a "parse" error in the log, and couldn't access the GUI when using this)
We used "openssl rsa -in old_private_key.pem -out new_private_key.pem" to convert to the "-----BEGIN RSA PRIVATE KEY----- " form (which is the old style PKCS#1).
Anyway this seemed to work, so thanks Manfred.
I had an upload certificate issue. It was due to an extra line at the bottom of the .pem file. Very helpful support were able to see this for me. The privatekey.key file was also encrypted which was fine. You don't need to unencrypt
It is NOT possible to use the encrypted privatekey.key and use the passphrase fields in the WebUI!
I had to import the encrypted privatekey.key file with OpenSSL and generate an unencrypted privatekey_unenc.key file - inserted the content it at the end of the .pem file and did NOT enter any passphrase during the installation - that worked for me.
The header of my privatekey_unec.file looks like:
-----BEGIN RSA PRIVATE KEY-----MIIEpQIBAAKCAQEA0vIiLW3AIiu2hV3kfKJamUr1Kdkwy5UtbWNrqzwgugCk/+Jmlr/OLD7Qo9xZKjNxvDlYYbprX1FyWxya8YQmvjCS0K6wE9P3ewr2eYzSsjgyTRTV
-----END RSA PRIVATE KEY-----
As noted in article http://community.arubanetworks.com/t5/Controller-less-WLANs/Certificate-chain-hierarchy-recommended-for-Instant-AP/ta-p/292008 I've added also the root certificates in the certificate chain but I'm getting the same error message:
I have a Geotrust G3 certificate and have now 4 certificates in the PEM file in the following order:
Intermediate Geotrust CA G3 certificate
Primary GeoTrust Universal certificate
Help is still very welcome---
I have tried this too using the above description and got the following error during installing the certificate:
The Header of the privatekey.key File looks different from the above example:
-----BEGIN ENCRYPTED PRIVATE KEY-----
...but this is the content of the file generated by OpenSSL.
Can you please give me a hint or an info where I can find an explanation of these error messages?
Instant Version is 18.104.22.168-22.214.171.124_58595; we want to install a GeoTrust certificate with CN=portal.xxx.at
There are a lot of different errors for certificates and the exact error message is needed to answer why it does not work like you expected. Most likely is that you access the WebUI on IP-address instead of the name that is in the certificate.
You best chances are to find someone that can look with you and analyze the certificate that is presented to find out if it is wrong and how to solve it. If you have access to Aruba Support, please contact them.
We create a new certificate with Comodo, and still send an error certificate on Aruba Instant.
What are we doing?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.