Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Installing 3rd party certs onto controllers

This thread has been viewed 24 times
  • 1.  Installing 3rd party certs onto controllers

    Posted Jul 15, 2021 12:11 PM
    Hello,

    AOS 8.7.1.4 on dev system

    I want to install publicly signed certs on our dev controllers (live system too if I can get this to work).

    I used openSSL to generate a private key and CSR for one of the controllers (we have 2 clusters of 2 controllers in the dev system). We get our certs through Sectigo, I downloaded the cert with cert chain (in one PEM file). Then I converted that to a PKCS#12 .p12 file using openSSL:

    openssl pkcs12 -export -out uws-mc-a1-dev_wireless_cam_ac_uk.p12 -inkey uws-mc-a1-dev_2021.key -in uws-mc-a1-dev_wireless_cam_ac_uk.cer -certfile ../AAACertificateServices.crt

    This worked fine (as far as I can tell) so I went to the MM, selected the controller uws-mc-a1-dev in the tree and then went System -> Certificates -> Import and successfully imported the cert as a Server Cert. But if I browse to that controller I still seem to be getting the Aruba untrusted cert. Am I importing to the wrong place? Or is there somewhere else in the config I need to tell it to use the new certificate?

    Thank you!

    Guy

    ------------------------------
    Guy Goodrick
    ------------------------------


  • 2.  RE: Installing 3rd party certs onto controllers

    Posted Jul 15, 2021 03:26 PM
    You should import the certificate at the top level, so that you can use that certificate for all controllers.
    You also need to go to configuration> System> More > General.  Click on the dropdown next to Captive Portal certificate and you should see the certificate imported there.  Select it to make it the captive portal certificate.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Installing 3rd party certs onto controllers

    Posted Jul 18, 2021 05:33 PM
    Hello Colin,

    Thanks, I tried this and I still get a cert warning (in Firefox it just won't let me browse to the controller at all). It looks like the securelogin.arubanetworks.com cert is still being used when I browse directly to this particular controller (ie not through the MM).

    Guy

    ------------------------------
    Guy Goodrick
    ------------------------------



  • 4.  RE: Installing 3rd party certs onto controllers

    Posted Jul 18, 2021 05:40 PM
    Aaaaaah I had missed the final step - I hadn't specified the new cert under System -> Admin -> Server Certificate !

    Ok now it is working. Apologies, it makes sense now.

    ------------------------------
    Guy Goodrick
    ------------------------------



  • 5.  RE: Installing 3rd party certs onto controllers

    Posted Jul 18, 2021 06:33 PM
    But something I don't understand in your reply is "so that you can use that certificate for all controllers", at the moment I am installing an indivudual cert for each controller (based on the name of each controller). Is that not the way you would do it?

    ------------------------------
    Guy Goodrick
    ------------------------------



  • 6.  RE: Installing 3rd party certs onto controllers

    Posted Jul 19, 2021 04:49 AM
    Yes.  You would install the certificates as high as you can, so it would be available to the controllers you want.  For captive portal (not your example), you would make it as high as you can, because those certificates can be used on multiple controllers (I gave you the wrong config, sorry).

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 7.  RE: Installing 3rd party certs onto controllers

    Posted Jul 19, 2021 06:03 AM
    Thanks Colin, ok that's useful. A colleague suggested we might put all the controllers into a controller domain and create a wildcard cert for that domain, which might save a little hassle when adding new controllers in future. We could do as you suggest - install it at a high level - and just select it as needed.

    Guy

    ------------------------------
    Guy Goodrick
    ------------------------------