Wireless Access

 View Only
last person joined: 4 days ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Controller Captive Portal Certificate

This thread has been viewed 30 times
  • 1.  Controller Captive Portal Certificate

    Posted Jan 20, 2022 04:55 PM

    I have been reading posts in regards to captive portal certificates but I am still unclear on what is needed. I am using Aruba OS 8.5 and would like to setup a guest network captive portal with an SSL cert I purchased from a CA. I have seen posts which involve open SSL and combing certs but is that required? The certs I have are intermediate, root and server certificate and I also have a chainbundle cert but I am not certain which certs are required for a guest captive portal ( no auth) I need the cert to work on ipads, macs and windows computers.

    Thanks for any assistance


    Marc Facella

  • 2.  RE: Controller Captive Portal Certificate

    Posted Jan 20, 2022 06:27 PM
    Hi Marc,

    Basically a certificate request exist of the following steps.
    1. Create a Certificate Signing Request (CSR) with the common name (CN) "captive-portal.domain.com" and optional with some Subject Alternate names (SAN). Please note that the private key is created on the same devices where you create the request.
    2. Upload your CSR request to a public certificate authority (CA) like www.sectigo.com. When use only a CN you can order a single domain certificate, when you have of SAN names other than www.domain.com you need a multi-domain certificate. Optional an wildcard certificate  "*.domain.com can also be uses but isn't always recommended.
    3. Proof/Validate your domain ownership by email, DNS hosting or web-bases, instructions you get from the Certificate Authority.
    4. After your a validated you can download your certificate.crt and a bundle with the root and intermediate certificates. Remember the private key was already owned by yourself.

    When you create the CSR on the box self you can directly import the certificate, ca-root and intermediate in the box, because the private key is already there. When you create the CSR on a external device you will most likely  create a PKCS12 (PFX) certificate, a PKCS12 can contain the server certificate, private key, root certificate and intermediate certificates all-in-on. You can easy create this with OpenSSL that's default available on every Linux box like a raspberry pi for example but you can also download a ported windows version. Its very important that "the chain" is in the correct order in the PKCS12, else you get issues the certificate isn't trusted on some type of devices.

    If you use the internal captive-portal on your box your need one HTTPS server certificate.
    If you use a external captive-portal like Aruba ClearPass you need two HTTPS server certificates, one for the page itself, one for the controller forum POST.

    Some examples how you can work with OpenSSL you can find on my blog https://blog.marcelkoedijk.nl
    Also google for the "Aruba ClearPass Certificate 101" documentation and see the Airheads Broadcast Channel https://www.youtube.com/c/ABCNetworking.

    Hope this helps you with the basics.

    Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

  • 3.  RE: Controller Captive Portal Certificate

    Posted Jan 21, 2022 04:02 AM
    If you want to use OpenSSL, check this entry on Aruba Solution Exchange for guided steps, including getting it signed.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.