How load captive portal certificate to IAP through Airwave

By esupport posted Sep 09, 2016 08:24 PM


IAP 4.1 and Later versions

AMP 8.0 and above versions


IAP latest version supports uploading customized captive portal server certificate in PEM or PKCS#12 format. The captive portal server certificates verifies internal captive portal server’s identity to the client.

Airwave Management server (AMP) can be used to manage IAP certificates like server certificate, captive portal server certificate.

The AMP performs basic certificate verification (such as certificate type, format, version, serial number and so on), before accepting the certificate and uploading to an IAP network. The AMP packages the text of the certificate into an HTTPS message and sends it to the Virtual Controller. After the VC receives this message, it draws the certificate content from the message, converts it to the right format, and saves it.


Loading a certificate in Airwave.

  1. From Device Setup >> Certificates page, click ‘Add’ to upload a new certificate.
  2. From certificate upload, enter certificate name and choose certificate file.
  3. Enter the passphrase if any.
  4. Select appropriate format that matches the certificate file.
  5. Select the certificate type as ‘Captive Portal Cert’

Selecting the certificate for IAP.

Note: User **MUST** resolve configuration audit mismatches for the IAP VC before performing the activity below to avoid unexpected configuration push to IAP VC. Contact Aruba Support when need help in resolving mismatch for IAP.

  1. Navigate to the AMP Group in which IAP's are added.
  2. From Groups >> Basic page >> Aruba Instant section, select the new captive portal certificate uploaded to AMP.
  3. Click save and apply the push the certificate to IAP's.



Note:  When using template based configuration management for IAP, ensure the template has the line "%captive_portal_cert_checksum%". This line forces AMP to audit and push captive portal certificate to VC.





AMP Log :

AMP /var/log/igc/igc.log file, shows AMP progress to push captive portal certificate to IAP.


igc.log file:

2016-09-09 16:07:26,134 INFO  Group change type[update] for table[ap_group]

2016-09-09 16:07:26,135 INFO  Message sending:


2016-09-09 16:07:42,130 INFO  Core[1] Received message with type: config

2016-09-09 16:07:42,191 INFO  Message sending:

cp-cert-checksum 951d876d3d48d9d00b9424d75cb099f3

2016-09-09 16:07:42,508 INFO  Message sending:


2016-09-09 16:07:58,421 INFO  Core[1] Received message with type: config

2016-09-09 16:07:58,460 INFO  Message sending:



AMP debug:

To debug AMP swarm message, enable qlog debug for swarm_debug and decode the swarm debug file for topic commands. below are example messages from AMP to IAP showing cp certificate instal.

commands topic log file:

Fri Sep  9 16:07:42 2016 (1473462462.052058)


          cmd => [


X-Interval: 4'


          guid => 'ab9474ed01b3aecbb190ebadea59663faed56759c2c4f700d7'


Fri Sep  9 16:07:54 2016 (1473462474.303502)


          cmd => [


X-Cert-Type: cp_cert

X-Cert-Format: pem_format

X-Cert-Psk: aruba123

X-Mark: more',

                   '-----BEGIN RSA PRIVATE KEY-----


IAP Command:

IAP cli command “show cpcert”,  confirms the captive portal certificate in use.

1 comment


Dec 29, 2016 05:04 PM

I was hoping I would come across some info as to why importing the pem file wasn't working in airwave for IAP Captive Portal. I was able to answer the question and wanted to post incase someone else had the same issue. 


Airwave requires the private key in the pem file to be *not* encrypted. If you have a encrypted private key in your pem file, airwave will not accept this file format. You will need to re-create your cert / private key with a non-encrypted pkey and try again.