Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

This thread has been viewed 42 times
  • 1.  AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted Nov 01, 2021 12:50 PM
    Currently we have AP 205's in our Enterprise network.

    They have been using the default 'securelogin.arubanetworks.com' certificate but that expired some time ago and we need to replace it.

    The documentation online states that you need to go to Configuration > Management > Certificates > CSR to generate CSR's

    The problem is I do not see this option in our Web UI. If I click Maintenance then Certificates I see the default Server Cert (see pic below)

    But there is no option to generate a CSR or choose which cert to bind to the internal Captive Portal for our splash page

    We are on firmware version 6.4.4.8-4.2.4.3_56707

    Are these options available in a different firmware or just not on the AP 205's we are using? 

    Thanks all.



    ------------------------------
    MICHAEL LEWTHWAITE
    ------------------------------


  • 2.  RE: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted Nov 01, 2021 06:55 PM
    the correct process is to upload your signed certificate (PEM format with passphrase) to IAP for Captive profile usage.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 3.  RE: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted Nov 02, 2021 08:12 AM
    Thanks Ariyap.

    I see that this shows how to upload it but in the documentation there is instructions on how to generate the CSR from Aruba. Is this not possible from the AP 205's? Do I need to just use something like OpenSSL.exe to gen the CSR?

    ------------------------------
    MICHAEL LEWTHWAITE
    ------------------------------



  • 4.  RE: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted Nov 02, 2021 11:21 AM
    If you have OpenSSL, use that to generate the private key and CSR. That procedure allows you to keep a copy of the private key, and install the same certificate on multiple clusters.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted Nov 02, 2021 12:14 PM
    Thanks Herman. I still have questions that may be for another topic but maybe you have the answer :)

    So we were using the basic internal Captive Portal which was using the default 'securelogin.arubanetworks.com' certificate which expired 9/2020.

    We now want our Guest Clients to access a Captive Portal with no browser issues. Does this mean that we can no longer use the Internal Captive Portal because that would be linked to securelogin.arubanetworks.com and of course we cannot get a cert for arubanetworks.com? Like do we now have to create an external Captive Portal with public cert if we want smooth guest access to a splash page authentication?

    Thanks again.

    Mike


    ------------------------------
    MICHAEL LEWTHWAITE
    ------------------------------



  • 6.  RE: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted Nov 02, 2021 12:27 PM
    Check here for the story behind this. In short, just get an HTTPS server (SSL) certificate, and install that on the Instant AP. The internal captive portal will automatically respond to the identity of that certificate, so you can even re-use a certificate that you have already as long as the name does not conflict with sites that your guests need to access.

    You will need a public trusted certificate for both internal and external captive portals.

    The securelogin.arubanetworks.com should not have worked for years, weird that you mention it expired last year; but that can be a self-signed certificate that is not trusted anyway and would have caused certificate warnings.

    If you have your APs managed by Central, you can use the aruba_default certificate, which will push a trusted securelogin.hpe.com certificate and makes that you don't need to install your own certificate (but still can).

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted Nov 02, 2021 02:10 PM
    Thanks so your saying that any public cert we have with any common name will work? 

    So if I upload a valid cert for xyz.abc.com to the Controller then the Internal Portal will automatically use that cert?

    What browser URL will pop up then when users connect to Guest? Like usually a user connects to guest network and then when they open their browser the url https://securelogin.arubanetworks.com/... opens with the splash page.

    So now after uploading the cert what page will open? Will it be the same but no cert error? (Sorry this is all a little confusing to me)

    We do not have Central so will be doing this in the Controller.

    Also when uploading the cert which option do we choose? "Auth Server"? 

    Thanks again. This is all extremely helpful!

    Mike

    ------------------------------
    MICHAEL LEWTHWAITE
    ------------------------------



  • 8.  RE: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted 30 days ago
    I see I was not completely clear. Yes, you can upload a public trusted certificate for any domain, and the (internal) captive portal page will show on that URL. If you have an external captive portal you will need 2 public trusted certificates, one for the Instant AP (for the actual logon) and one for the external captive portal.

    As you cannot get trusted certificates for any domain, just for your own, get a certificate on your own domain like guest.your-domain.com, or login.your-domain.com, or basically it doesn't matter but it is the URL that users see (or don't see more often as the URL is hidden in the browser). If the certificate is indeed properly public trusted, users will not see any certificate warnings. You need to have a domain in order to get public trusted certificates, and there are no specific requirements on the certificate or certificate authority, you can get your approved vendor, or just the cheapest, you can get an EV certificate, or just a normal certificate, Wildcard, multi-domain,multi-SAN,single-domain, and because the AP will 'impersonate' the domain that is in the uploaded certificate you can use the same certificate on all of your APs, and even re-use an existing certificate, or when managed by central use the securelogin.hpe.com certificate (aruba_default) from there.

    You upload the certificate as Captive Portal (older firmware), or as Server Certificate and configure the Certificate Usage as Captive portal certificate (newer firmware):


    Hope all is clear now.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 9.  RE: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted 29 days ago
    Thanks so much Herman! I think I got most of it now. So I'll just gen a csr using OpenSSL.exe for guest.mydomain.com Then will get from my CA and upload it to all my controllers (different branch locations) as a captive portal cert (i'm on older firmware).

    Then when users login to Guest the browser splash page will open automatically with guest.mydomain.com so it will be trusted with no issues.

    The only other questions I have are:

    When I generate the cert should I use -nodes for no encryption / passphrase?
    We use DigiCert to create and download the cert. What file type is the controller looking for - .cer, .crt, .pem.? 
    Also, do I need to upload anything else? Private key, or other certs like the Intermediate or Root CA or just this one .cer/.crt/.pem?

    Mike 


    ------------------------------
    MICHAEL LEWTHWAITE
    ------------------------------



  • 10.  RE: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted 29 days ago
    For uploading, the upload screen should tell you and for me it is x509, where the extension can be any of those 3, but I normally go for .pem (base64).

    Put all components in one file:
    ---- BEGIN CERT ----
    <server cert that was signed by your CA>
    ---- END CERT ----
    ---- BEGIN CERT ----
    <intermediate that signed your server cert>
    ---- END CERT ----
    ---- BEGIN CERT ----
    <optional repeat for other intermediates; don't include the root CA>
    ---- END CERT ----
    ---- BEGIN (Optional: ENCRYPTED) KEY ----
    <your private key>
    ---- END KEY ----

    During the upload you can enter the passphrase, so you can upload the key encrypted or non-encrypted. Also, encryption is something you can even change later on with OpenSSL.

    I think it is best practice to put a passphrase on your key, in case someone finds it in a backup or open filesystem that your key is not compromised.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 11.  RE: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted 24 days ago
    Herman,

    THANK YOU THANK YOU!!!  All our portals are working now. Your help is so greatly appreciated!

    For others note that for the cert we just used OpenSSL: 

    OpenSSL.exe req -newkey rsa:2048 -nodes -keyout C:\Install\Aruba\ArubaGuest.key -out C:\Install\Aruba\ArubaGuest.csr

    Then obtained Pem's from Digicert. Then put the cert and private key together in a .pem and uploaded to Controllers as Captive Portal. (Only cert and key, no intermediate or root)


    ---- BEGIN CERT ----
    <server cert that was signed by your CA>
    ---- END CERT ----
    ---- BEGIN KEY ----
    <your private key>
    ---- END KEY ----


    ------------------------------
    MICHAEL LEWTHWAITE
    ------------------------------



  • 12.  RE: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted 23 days ago
    Please be warned that you can expect issues with some devices that without the intermediate the certificate will not be trusted.

    Most devices will cache an intermediate certificate once they see it... but devices that have not seen a certificate from the same intermediate will throw an untrusted connection error. It's strongly recommended to add the intermediate(s) to the certificate that you import (certificate chaining).

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 13.  RE: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal

    Posted 23 days ago
    Thanks Herman. For some reason I had an issue with the Intermediate installing but I took the time and figured it out. Thanks for the warning!

    ------------------------------
    MICHAEL LEWTHWAITE
    ------------------------------