Controllerless Networks

 View Only
last person joined: 17 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Certificate Expiration Inventory Automation for Aruba Controllers/APs

This thread has been viewed 9 times

  • 1.  Certificate Expiration Inventory Automation for Aruba Controllers/APs

    Posted Mar 31, 2021 12:09 PM
    Hey Folks,

    If we have hundreds of controllers and thousands of APs - how are we supposed to create an automated inventory so renewals can be planned well ahead of time through the year along with hundreds of other renewals we plan.

    The CLi commands below do not even include the expiration date - you have to manually click through a GUI? What is the enterprise solution to this problem? An SNMP trap 60 days until expiration is not enough due to annual planning of thousands of certificates across many vendors for lifecycle management.

    (NodeName) *#show crypto-local pki
    allow-low-assurance-d.. Show low-assurance-devices config status
    CRL Show Certificate Revocation List
    crl-stats Show CRL requests stats
    IntermediateCA Show an intermediate CA certificate
    ocsp-client-stats Show OCSP client stats
    OCSPResponderCert Show a OCSP Responder certificate
    OCSPSignerCert Show a OCSP Signer certificate
    PublicCert Show a public certificate
    rcp Show revocation check point
    ServerCert Show a server certificate
    service-ocsp-responder Show OCSP Responder service status
    TrustedCA Show a trusted CA certificate

    (NodeName) *#show crypto-local pki TrustedCA

    Certificates
    ------------
    Name Original Filename Reference Count Expired
    -------------- ----------------- --------------- -------
    XYZPROD        xyz.cer 3 No
    XYZ01              XYZ01.cer 0 No



    ------------------------------
    Bradley Marshall
    ------------------------------


  • 2.  RE: Certificate Expiration Inventory Automation for Aruba Controllers/APs

    MVP GURU
    Posted Mar 31, 2021 12:41 PM
    You can look at the details of the certificate by adding the name you gave the certificate after that type of cert your looking at. See example below.

    (ARUBA-MC01) [MDC] *#show crypto-local pki trustedCA InCommon-Root

    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
    Signature Algorithm: sha384WithRSAEncryption
    Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
    Validity
    Not Before: Feb 1 00:00:00 2010 GMT
    Not After : Jan 18 23:59:59 2038 GMT
    Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (4096 bit)
    Modulus:
    00:80:12:65:17:36:0e:c3:db:08:b3:d0:ac:57:0d:
    76:ed:cd:27:d3:4c:ad:50:83:61:e2:aa:20:4d:09:
    2d:64:09:dc:ce:89:9f:cc:3d:a9:ec:f6:cf:c1:dc:
    f1:d3:b1:d6:7b:37:28:11:2b:47:da:39:c6:bc:3a:
    19:b4:5f:a6:bd:7d:9d:a3:63:42:b6:76:f2:a9:3b:



    (ARUBA-MC01) [MDC] *#show crypto-local pki trustedCA InCommon-Root | include "Not After"
    Not After : Jan 18 23:59:59 2038 GMT

    ------------------------------
    Dustin Burns
    ------------------------------

    Original Message


  • 3.  RE: Certificate Expiration Inventory Automation for Aruba Controllers/APs

    EMPLOYEE
    Posted Apr 01, 2021 04:31 AM
    If you have Clearpass you could consider EST.  This will handle the enrollment of certificates on the Aruba infrastructure and crucially the auto renewal.

    https://www.arubanetworks.com/techdocs/ArubaOS_8.8.0_Web_Help/Content/arubaos-solutions/manage-utilities/cert-enro-usin-est.htm

    ------------------------------
    Michael Clarke (Aruba)
    ------------------------------

    Original Message