- Visit https://www.ssls.com/
- Scroll down to "PositiveSSL" (the one that says $4.99/year)
- Click the shopping cart button.
- Pay some money
Now you paid for a cert - next you need to actually obtain it.
- If you have just one controller, open the WebUI, go to Configuration->Certificates->CSR. Set the key length to 2048. Put your controller's hostname into the Common Name field. Fill out the rest of the information. Click "Generate New". Click "View Current". Copy and paste this into the www.ssls.com page where it asks you for your CSR. Skip to step 3.
- If you have multiple controllers and want to use the same certificate on all of them (note: not recommended from a best security practice standpoint), you can't use the ArubaOS CSR-generation routine described in step 1, because you won't (easily) get your private key back. For this, you need a computer with OpenSSL on it. There are a number of tutorials online that tell you how to generate keypairs and CSRs using OpenSSL - follow one of them. Once you get a CSR, paste it into the www.ssls.com page where it asks for your CSR.
- Go through the verification process.
- Obtain cert in email.
- If you generated your CSR on the controller (step 1), upload the certificate back to the WebUI with Management->Certificates->Upload. Set the cert type to "Server Certificate". You are done.
- If you generated your CSR with OpenSSL (step 2), when you get the certificate, you need to recombine it with the private key that OpenSSL will save to disk, and then that complete package needs to be uploaded to your controllers. The easiest way is to dump the certificate, the certificate chain (this includes the intermediate CAs), and the private key into a text file. I am over-simplifying this - but there are many how-tos online. Make sure you don't leave that text file laying around somewhere that other people can get it.
If browsers still complain about your new cert not being trusted, and you think you did everything correctly, the most likely problem is the certificate chain. You need to combine the server certificate AND the intermediate CA certificates (all of this will be emailed to you) into a single file, which you upload to the controller.
All told - this is too complicated, and requires you to know too much about certificates, cert chains, certificate file types, etc. It's the result of letting security engineers design this part of the software. I've made some suggestions internally for how to make this easier.
If all of this sounds like too much of a pain, go to https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/ (or even http://www.selfsignedcertificate.com/, though I haven't tried this myself) and create yourself a self-signed certificate. Upload it to the controller. The first time you use it, tell your browser to show you the certificate, and "install" it - you're telling your browser to remember this certificate so that the next time you use it, it will be trusted. It's not the best security approach, but it will get the job done.