Wireless Access

last person joined: 6 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

How to replace Aruba Default Certificate - April-MHC

  • 1.  How to replace Aruba Default Certificate - April-MHC

    Posted Apr 20, 2014 10:27 PM
      |   view attached

    If you found my post helpful, please give kudos!

     

    Why do you need to replace Aruba default certificate?

     

    Have you ever tried to replace Aruba default certificate issued by GeoTrust DV SSL CA to securelogin.arubanetworks.com.  You found many reasons to change and read many articles how to do it, but it seemed too many details,  you gave up and forgot about it because things still worked.

     

    Let’s try it again, at least, for the benefit shows in figure 1, the problem with security certificate.

     

    This article based on Windows 2012 ROOT-CA.  Assuming you have - or you can request - a certificate from your ROOT-CA.  

     

    1.png

    Figure 1: By replacing default certificate, you can get rid of this annoying security certificate problem.

     

    Getting the Certificate

     

    Generate CSR at the controller

    2.png

     

    Figure 2: This step is straight forward.  Make sure the Common Name is the name you are using to access your controller.  In this lab, I use https://172.18.31.246:4343, so the CN is 172.18.31.246.  Although the Key Length minimum is 1024, but the standard is 2048, many Root-CA are no longer support 1024.

     

    Request certificate

    Click Generate New, and copy the text between -----BEGIN CERTIFICATE REQUEST----- and ----END CERTIFICATE REQUEST----- inclusive.  Save to a text file. 

     

    HTTPS to your Root-CA

    3.png

     Figure 3: Https to Root-CA, click Request a certificate

     

    4.png 

    Figure 4: Click submit an "advanced certificate request"

     

    5.png

    Figure 5: Paste the CSR that you saved to txt file in figure 2 above to Saved Request, change Certificate Template to Web Server, click Submit.

     

    6.png 

    Figure 6: Keep default DER encoded, click “Download certificate”, and save it.  In my Root-CA, I configured the server to automatic assign certificate, so I can download the certificate right after I submit.  Some root-CA requires you come back later to download after the administrator issue it.

     

    7.png

    Figure 7: You can view the detail of certificate you just saved to ensure it is the right one

      Install Certificate to Controller

     

    8.png

    Figure 8: To install certificate to controller, click Management > Certificates > Upload.  Give it a name, find the certificate you downloaded.  Default name is download\certnew.cer

     

    9.png

    Figure 9: Configure controller to use new certificate for WebUI Management Authentication and Captive Portal.  Click Apply, Save Configuration, and log out.

     

    10.png

    Figure 10: Log back to controller, no more Problem with Website Security Certificate

     

     

    If you found my post helpful, please give kudos!

    Thanks

     

    Attachment(s)

    pdf
    Apr MHC Aruba Cert.pdf   664 K 1 version


  • 2.  RE: How to replace Aruba Default Certificate - April-MHC

    Posted Apr 29, 2014 06:08 AM

    If you want to go to town on this you can generate a custom cert  on linux!

     

    sudo cp /etc/ssl/openssl.cnf  /etc/ssl/whatever.cnf

     

    sudo vi /etc/ssl/whatever.cnf

     

    edit the normal elements and add in alt_name section:

    [alt_names]
    DNS.1 = aruba-master.whatever.orVRRP.address.com

    DNS.2 = controller1.whatever.com

    DNS.3 = controller2.whatever.com

    IP.1 = 10.1.1.1

    IP.2 = 10.1.1.2

    IP.3 = 10.1.1.3

     

    IPs are cools as alot of the aruba master/local config links refer to ips and not fqdns

     

    generate key:

     

    sudo openssl genrsa -out ./whatever.key 4096

     

    generate the cert:

     

    sudo openssl req -new -key ./whatever.key -out ./whatever.csr -config ./whatever.cnf

     

    get it signed by ca as per the last process.

     

    package up a PCKS12:

     

    sudo openssl pkcs12 -export -out whatever.pfx -inkey whatever.key -in ./whatever.cer -certfile whatever.intermediate_ca.cer -certfile whateverwhatever.root_ca.cer

     

    Install on the both controllers and just use the VRRP resolved domain name!

     



  • 3.  RE: How to replace Aruba Default Certificate - April-MHC

    Posted Apr 29, 2014 02:21 PM

     Very good and useful info for enterprise WLAN with multiple controllers.  I wonder if Windows server root CA can do it too.