I see I was not completely clear. Yes, you can upload a public trusted certificate for any domain, and the (internal) captive portal page will show on that URL. If you have an external captive portal you will need 2 public trusted certificates, one for the Instant AP (for the actual logon) and one for the external captive portal.
As you cannot get trusted certificates for any domain, just for your own, get a certificate on your own domain like guest.your-domain.com, or login.your-domain.com, or basically it doesn't matter but it is the URL that users see (or don't see more often as the URL is hidden in the browser). If the certificate is indeed properly public trusted, users will not see any certificate warnings. You need to have a domain in order to get public trusted certificates, and there are no specific requirements on the certificate or certificate authority, you can get your approved vendor, or just the cheapest, you can get an EV certificate, or just a normal certificate, Wildcard, multi-domain,multi-SAN,single-domain, and because the AP will 'impersonate' the domain that is in the uploaded certificate you can use the same certificate on all of your APs, and even re-use an existing certificate, or when managed by central use the securelogin.hpe.com certificate (aruba_default) from there.
You upload the certificate as Captive Portal (older firmware), or as Server Certificate and configure the Certificate Usage as Captive portal certificate (newer firmware):
Hope all is clear now.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Nov 02, 2021 02:09 PM
From: MICHAEL LEWTHWAITE
Subject: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal
Thanks so your saying that any public cert we have with any common name will work?
So if I upload a valid cert for xyz.abc.com to the Controller then the Internal Portal will automatically use that cert?
What browser URL will pop up then when users connect to Guest? Like usually a user connects to guest network and then when they open their browser the url https://securelogin.arubanetworks.com/... opens with the splash page.
So now after uploading the cert what page will open? Will it be the same but no cert error? (Sorry this is all a little confusing to me)
We do not have Central so will be doing this in the Controller.
Also when uploading the cert which option do we choose? "Auth Server"?
Thanks again. This is all extremely helpful!
Mike
------------------------------
MICHAEL LEWTHWAITE
Original Message:
Sent: Nov 02, 2021 12:26 PM
From: Herman Robers
Subject: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal
Check here for the story behind this. In short, just get an HTTPS server (SSL) certificate, and install that on the Instant AP. The internal captive portal will automatically respond to the identity of that certificate, so you can even re-use a certificate that you have already as long as the name does not conflict with sites that your guests need to access.
You will need a public trusted certificate for both internal and external captive portals.
The securelogin.arubanetworks.com should not have worked for years, weird that you mention it expired last year; but that can be a self-signed certificate that is not trusted anyway and would have caused certificate warnings.
If you have your APs managed by Central, you can use the aruba_default certificate, which will push a trusted securelogin.hpe.com certificate and makes that you don't need to install your own certificate (but still can).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 02, 2021 12:14 PM
From: MICHAEL LEWTHWAITE
Subject: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal
Thanks Herman. I still have questions that may be for another topic but maybe you have the answer :)
So we were using the basic internal Captive Portal which was using the default 'securelogin.arubanetworks.com' certificate which expired 9/2020.
We now want our Guest Clients to access a Captive Portal with no browser issues. Does this mean that we can no longer use the Internal Captive Portal because that would be linked to securelogin.arubanetworks.com and of course we cannot get a cert for arubanetworks.com? Like do we now have to create an external Captive Portal with public cert if we want smooth guest access to a splash page authentication?
Thanks again.
Mike
------------------------------
MICHAEL LEWTHWAITE
Original Message:
Sent: Nov 02, 2021 11:21 AM
From: Herman Robers
Subject: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal
If you have OpenSSL, use that to generate the private key and CSR. That procedure allows you to keep a copy of the private key, and install the same certificate on multiple clusters.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 02, 2021 08:12 AM
From: MICHAEL LEWTHWAITE
Subject: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal
Thanks Ariyap.
I see that this shows how to upload it but in the documentation there is instructions on how to generate the CSR from Aruba. Is this not possible from the AP 205's? Do I need to just use something like OpenSSL.exe to gen the CSR?
------------------------------
MICHAEL LEWTHWAITE
Original Message:
Sent: Nov 01, 2021 06:54 PM
From: Ariya Parsamanesh
Subject: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal
the correct process is to upload your signed certificate (PEM format with passphrase) to IAP for Captive profile usage.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
Original Message:
Sent: Nov 01, 2021 12:49 PM
From: MICHAEL LEWTHWAITE
Subject: AP 205 - How do I Generate CSR and then Bind new cert to Internal Captive Portal
Currently we have AP 205's in our Enterprise network.
They have been using the default 'securelogin.arubanetworks.com' certificate but that expired some time ago and we need to replace it.
The documentation online states that you need to go to Configuration > Management > Certificates > CSR to generate CSR's
The problem is I do not see this option in our Web UI. If I click Maintenance then Certificates I see the default Server Cert (see pic below)
But there is no option to generate a CSR or choose which cert to bind to the internal Captive Portal for our splash page
We are on firmware version 6.4.4.8-4.2.4.3_56707
Are these options available in a different firmware or just not on the AP 205's we are using?
Thanks all.
------------------------------
MICHAEL LEWTHWAITE
------------------------------