Hi Marc,
Basically a certificate request exist of the following steps.
1. Create a Certificate Signing Request (CSR) with the common name (CN) "captive-portal.domain.com" and optional with some Subject Alternate names (SAN). Please note that the private key is created on the same devices where you create the request.
2. Upload your CSR request to a public certificate authority (CA) like
www.sectigo.com. When use only a CN you can order a single domain certificate, when you have of SAN names other than
www.domain.com you need a multi-domain certificate. Optional an wildcard certificate "*.domain.com can also be uses but isn't always recommended.
3. Proof/Validate your domain ownership by email, DNS hosting or web-bases, instructions you get from the Certificate Authority.
4. After your a validated you can download your certificate.crt and a bundle with the root and intermediate certificates. Remember the private key was already owned by yourself.
When you create the CSR on the box self you can directly import the certificate, ca-root and intermediate in the box, because the private key is already there. When you create the CSR on a external device you will most likely create a PKCS12 (PFX) certificate, a PKCS12 can contain the server certificate, private key, root certificate and intermediate certificates all-in-on. You can easy create this with OpenSSL that's default available on every Linux box like a raspberry pi for example but you can also download a ported windows version. Its very important that "the chain" is in the correct order in the PKCS12, else you get issues the certificate isn't trusted on some type of devices.
If you use the internal captive-portal on your box your need one HTTPS server certificate.
If you use a external captive-portal like Aruba ClearPass you need two HTTPS server certificates, one for the page itself, one for the controller forum POST.
Some examples how you can work with OpenSSL you can find on my blog
https://blog.marcelkoedijk.nlAlso google for the "Aruba ClearPass Certificate 101" documentation and see the Airheads Broadcast Channel
https://www.youtube.com/c/ABCNetworking.Hope this helps you with the basics.
------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------
Original Message:
Sent: Jan 20, 2022 04:54 PM
From: Marc Facella
Subject: Controller Captive Portal Certificate
Hello,
I have been reading posts in regards to captive portal certificates but I am still unclear on what is needed. I am using Aruba OS 8.5 and would like to setup a guest network captive portal with an SSL cert I purchased from a CA. I have seen posts which involve open SSL and combing certs but is that required? The certs I have are intermediate, root and server certificate and I also have a chainbundle cert but I am not certain which certs are required for a guest captive portal ( no auth) I need the cert to work on ipads, macs and windows computers.
Thanks for any assistance
MJF
------------------------------
Marc Facella
------------------------------