Wireless Access

 View Only
last person joined: 2 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

How to update cert in CLI on ArubaOS 8?

This thread has been viewed 36 times
  • 1.  How to update cert in CLI on ArubaOS 8?

    Posted Mar 06, 2020 07:52 AM

    Hi,

    I have a Let's Encrypt pem cert, and has uploaded it to ArubaOS 8 via WebUI, and that's all fine.

    But as you know, certs of Let's Encrypt expiered every 3 months, so i'd prefer to update it in CLI(SSH).

     

    But when i do this followed the https://community.arubanetworks.com/t5/Controller-Based-WLANs/Generate-self-signed-certificate-with-OpenSSL/ta-p/275357

     

     

     

    (Aruba7010) *[mm] #copy tftp: 192.168.1.1 domain.com flash: domain.com.pem
    
    Copying file:
    Press 'q' to abort.
    ....
    File copied successfully
    
    (Aruba7010) *[mm] #crypto pki-import pem ServerCert "domain.com" "domain.com.pem"
    
     Similar name certificate already exists on the same or different path. Upload with a different name.

     

     

     

    I stucked here, and don't know how to do.

    I've tried:

     

     

    (Aruba7010) *[mm] #configure terminal
    Enter Configuration commands, one per line. End with CNTL/Z
    (Aruba7010) *[mm] (config) #no crypto-local pki ServerCert domain.com
    Error cert name domain.com not Present

     

     

     But it won't work.

     

    Could you please provide me a guide to overwrite the existed cert?



  • 2.  RE: How to update cert in CLI on ArubaOS 8?

    EMPLOYEE
    Posted Mar 06, 2020 08:10 AM

    Try to import the certificate with a name slightly different from "domain.com"...maybe "2021-03-06-domain.com".

     

    You would then have to update whatever references you have to that name.

     

    AfAIK there is no automated system to import, and update server certificates in ArubaOS 



  • 3.  RE: How to update cert in CLI on ArubaOS 8?

    Posted Mar 06, 2020 09:06 AM

    Then, how can i delete the old cert in CLI?



  • 4.  RE: How to update cert in CLI on ArubaOS 8?

    EMPLOYEE
    Posted Mar 06, 2020 09:12 AM

    Find out if it even sees a certificate in that context:

     

    "show crypto-local pki ServerCert"

     

    If not, change your context to /md or /md/whateverfolder and run that command again.  You might have imported the certificate in a different context.

     

    It might not be possible to delete the certificate if it is already assigned at the Captive Portal or Manangement Page certificate...



  • 5.  RE: How to update cert in CLI on ArubaOS 8?
    Best Answer

    Posted Mar 06, 2020 12:23 PM

    I've done with this:

     

    (Aruba7010) *[mynode] #cd mynode       //important, you can not delete your serverCert in /mm
    (Aruba7010) *[mynode] #configure terminal
    Enter Configuration commands, one per line. End with CNTL/Z
    
    (Aruba7010) *[mynode] (config) #web-server profile
    (Aruba7010) *[mynode] (Web Server Configuration) #switch-cert default    //you must swtich to default cert before delete the in-use cert
    (Aruba7010) ^*[mynode] (Web Server Configuration) #no crypto-local pki ServerCert domain.com   //delete the old cert
    (Aruba7010) ^*[mynode] (config) #web-server profile
    (Aruba7010) ^*[mynode] (Web Server Configuration) #write memory
    
    Saving Configuration...
    
    Configuration Saved.
    (Aruba7010) *[mynode] (Web Server Configuration) #copy tftp: 192.168.1.1 domain.com.pem flash: domain.com.pem
    
    Copying file:
    Press 'q' to abort.
    ....
    File copied successfully
    
    (Aruba7010) *[mynode] (Web Server Configuration) #crypto pki-import pem ServerCert domain.com domain.com.pem    //import the new cert 
    Certificate is uploaded. Please execute "crypto-local pki SERVERCERT domain.com domain.com.pem" from a config node
    
    (Aruba7010) *[mynode] (Web Server Configuration) #crypto-local pki serverCert domain.com domain.com.pem   //install the new cert
    (Aruba7010) ^*[mynode] (Web Server Configuration) #switch-cert domain.com  //switch to the new cert
    (Aruba7010) ^*[mynode] (Web Server Configuration) #write memory
    
    Saving Configuration...
    
    Configuration Saved.
    (Aruba7010) *[mynode] (Web Server Configuration) #process restart httpd   //restart httpd to make the new cert take effect immediately
    WARNING: Do you really want to restart process: httpd (y/n): y
    Restarting: httpd
    (Aruba7010) *[mynode] (Web Server Configuration) #


  • 6.  RE: How to update cert in CLI on ArubaOS 8?

    Posted Sep 11, 2023 03:48 AM

    I was able to do this with python and the paramiko library.    It took quite a bit of time to figure out how to update the cert using the cli on 8.11,  pasting my findings here to benefit others.  https://github.com/bruor/ArubaInstantCertUpdate

    Commands to run via SSH after connecting to the IAP.

    config
    wlan cert-assignment-profile
    no pki-cert-assign application ui cert-type ServerCert 
    exit
    exit
    commit apply
    crypto pki-remove cert-type ServerCert certname [CertName]
    crypto pki-import format pem cert-type ServerCert tftp://[server]/[filename] certname [CertName]
    config
    wlan cert-assignment-profile
    pki-cert-assign application ui cert-type ServerCert certname [CertName]
    exit
    exit
    commit apply