ArubaOS Default Certificate Revocation FAQ - Controllers

Moderator Moderator

Frequently Asked Questions for Aruba Support Advisory ARUBA-SA-20160908-01


Certificates are used to validate the identity of a remote user or service like a web site. If you purchase something on eBay for example, there is a certificate in the browser to ensure that you are not giving a rogue entity your credit card number and that the communication between you and the site is encrypted so that nobody can intercept what you are typing.  The controller, MAS and Instant APs have built-in default certificates installed to serve as a placeholder for a permanent certificate, to ensure that you can get up and running quickly when you connect to the management interface, authenticate using 802.1X with termination and authenticate guests using captive portal.  Unfortunately, the same default certificate registered to Aruba Networks is installed on each platform at the factory.   The only way to ensure integrity is to replace those certificates with your own public or private certificate so that your users and their devices know that your organization, and NOT a random entity, is processing or can snoop on your authentication. 


Aruba's user guides urge replacement of the management and Captive Portal certificates to ensure security:


ug-managing certs.png



What prompted this announcement?

  • GeoTrust (the signer and issuer of the Aruba default certificate) revoked the certificate on 9/8/16, due to the private key being compromised.  For controllers, Instant APs and Mobility Access Switches where the default certificate was not replaced, the user's browser either (1) rejected the connection (2) or sent back a mysterious message that the certificate was expired or revoked; this confused users and in some cases browsers refused to display the page.  ArubaOS 8 forces the user to generate a self-signed certificate to sidestep this issue, but ArubaOS 6.5 and below still has a shared default certificate that needs to be replaced by the administrator for Captive Portal, Management Administration and 802.1X termination, if it is being used.


What is a certificate?

  • A certificate is essentially a digital ID card used by individuals, businesses and even devices to identify themselves to others and facilitate things like data encryption between two devices.
    More on certificates
    More on certificates >>

Who uses certificates?

  • Nearly every organization uses digital certificates in some way. The most basic and pervasive use is on the internet to identify the owner of a website and provide data encryption. This is critical when entering sensitive information like credit card numbers and identification numbers or downloading files to your device. The certificate on the web site allows you to verify who you are giving your information to and also provides a framework to ensure that the data is encrypted (scrambled) before it goes out over the internet.
  • You may also use a certificate to prove your identity to a company to access your secured data. An example would be a bank login where you use a digital certificate instead of your password or a certain resource at work which require higher assurance of who you are.

What is the difference between a public, private and self-signed certificate?

  • A public certificate is signed by a public certificate authority after domain, personal identity or business verification. These certificate authorities are pre-installed on most client operating systems like Windows, Mac OS X, Android and iOS. The public CAs follow a strict process when issuing certificates which creates a network of trust between the CA, the operating system vendors (who decide to allow their trust to be added to the OS) and ultimately down to the user.
    More on public certificates >>
  • A private certificate is signed by an internal or private CA that is run by an organization. The Root CA is not trusted by default by client devices and needs to be pushed out to clients via a management tool or manually installed in order for devices to show certificates from this CA as valid.
  • Self-signed certificate: this certificate is generally generated by the local machine/device itself and has no relation to any other certs. It is signed by itself.
    More >>

What is a CSR?

  • A CSR is a certificate signing request. This is an unsigned copy of the public key, generated by an application or operating system in conjunction with a private key and contains information about your organization and also the common name and any subject alternative names that are being requested. This unsigned public key is provided to the certificate authority to validate and sign. The result is a signed public key that can be used with your application/service in combination with the private key.
    More >>

What does it mean when a certificate is revoked?

  • A certificate can be revoked by the owner of the certificate or the certificate authority that issued it. This can be done for many reasons like a service being decommissioned or the security of the certificate being compromised.

How does a browser/device know when a certificate is revoked?

Who is GeoTrust and how are they related?

  • GeoTrust is a popular public certificate authority used by many companies. They are responsible for verifying the identity of a user, domain, email address and/or company to allow for a trust relation between the end user or device and a company or other user.
    More about certificate authorities >>
    More about GeoTrust >>

Where can I learn more about certificates?



Which Aruba products are effected?

  • Aruba Mobility Controllers, Instant Access Points (IAP) and Mobility Access Switches (MAS).

Why was a public certificate included in the first place?

  • In early versions of ArubaOS, a certificate was not included. This resulted in many users having issues getting captive portal working. A publicly-signed default cert was added to ArubaOS to give a working solution out of the box and also provide an example of what was required, a template of sorts. It was also very useful when evaluating Aruba products prior to purchase.

Why is a certificate needed on an Aruba controller/IAP/MAS?

Certificates are used for five different functions on the controller:


  1. Web UI security >> The web UI used for management uses a certificate to identify the controller to admin users and is also used to encrypt credentials, keystrokes and other traffic between the browser and the controller/IAP/MAS.
  2. Captive Portal redirection >> In order to redirect users that are visiting an https page, we need a certificate on the controller to intercept the https connection and redirect it to the controller’s web server or an external captive portal.
  3. Captive Portal login >> In most deployments, a user enters their credentials into the captive portal displayed in their browser and then clicks submit or log in. The browser submits the credentials to a special URL on the controller and the controller then checks these credentials via the local database or a RADIUS server. Because these credentials are sent from the client device to the controller, we need a certificate to encrypt the credentials in transit and provide assurance that the controller is valid.
  4. EAP-Termination (optional) >> While a RADIUS server is recommended, in some deployments, the controller may serve as the EAP termination point for things like EAP-PEAP, EAP-TLS and other EAP methods. These require a server side certificate on the controller for the client to validate.
  5. VIA Profile Download >> The VIA VPN client connects to the controller in order to download a configuration profile. The controller certificate is used to identify itself to the client/user similar to a website.

Do I need to use the same certificate for each service?

  • No. Web UI, captive portal and EAP-Termination can all use different certificates and different certificate types (self-signed vs private vs public).

Why was the certificate revoked?

  • Because the certificate was included with each controller, IAP and MAS, it was a part of the software image and the certificate key pair was recently extracted out and compromised. GeoTrust then revoked the certificate, following certificate authority policies around compromised keys.

Can I use the same captive portal and/or EAP-termination certificate across multiple controllers?

  • The technical answer is yes, but you should consult your security team first.
  • If you choose to use the same certificate, use an external server to generate the CSR (openssl on Linux/Windows/Mac OS X/Linux or IIS on Windows for example). If you generate the CSR on the controller, you will not be able to export the key pair for import to another device.


  • The common name can be anything you want (it does not actually have to resolve to a host), but we recommend it be a user-friendly name off your domain as it is briefly displayed on an end-user's device during authentication. An example would be: Do not use

Were any other certificates in the products compromised?

  • Aruba controllers, IAPs and MAS also include a unique factory certificate that is generated during manufacturing. This certificate is issued by a private CA used for trust between Aruba devices for services like Control Plane Security (CPSec) and Aruba Activate. This certificate is unique to the hardware and the private key is stored securely in a hardware trusted platform module (TPM) and remains valid and secure.



What controller services use this certificate by default?

  • Admin web UI (https://:4343)
  • VIA profile download
  • Captive Portal (splash page for guests)
  • EAP-Termination (used in some situations where a RADIUS server is not available)

How can I fix this on my Aruba controllers?

  • A custom certificate needs to be acquired and installed on the controller.
  • Choosing a certificate:
    Self-signed YES1
    (but not recommended,
    see below)
    YES YES2
    Privately-signed YES1
    (but not recommended,
    see below)
    YES YES3
    Public: standard
    domain cert
    Public: wildcard cert YES YES


    1 – While a self-signed or private certificate can be used for captive portal, it is not recommended as guests will not have the certificate and/or root CA installed and will receive a certificate error.

    2 – When using EAP-Termination with a self-signed certificate, the cert will need to be installed on each client device in order to secure the connection.

    3 – When using EAP-Termination with a privately signed certificate, the private root CA will need to be installed on each client device in order to secure the connection.

    4 – Wildcard certificates will be rejected by many client devices when used as a RADIUS server certificate.

  • Installing the certificate: 


  • If the CSR was generated on the controller itself, download the Apache version. Grab the .crt and verify the common name (make sure it is not just the root CAs). On the controller, navigate to Configuration > Certificates on the controller. Give your certificate a friendly name, browse to find the .crt file, select PEM as the format and select Server Cert as the certificate type. Then click Upload. Now, Navigate to General on the left and select which services should use that certificate.
  • If the CSR was done on an external server, you can also grab the Apache version, but you'll need to combine the public key from the CA with the private key stored on the device where the CSR was generated to create a p12/pfx file. See the next question.


  • The "Apache" certificate package from your CA should contain two certificate files: one with just your public signed cert and the second should contain the intermediate(s) and root certificates. Extract those and drop them in the directory where your private key was generated.
  • Open up a shell window (cmd, terminal, bash), change your directory to the location of the certificate files and run the following command, replacing the values between the curley braces:
    openssl pkcs12 -export -in {your-public-cert-file} -certfile {intermediate-root-ca-file} -inkey {your-private-key-file} -out {name-of-your-combined-cert}.pfx
    If you added a password to your private key during CSR generation, you will be prompted for it. You will also be prompted to create a private key password for the new PFX file. Make this a very strong, long password as it is protecting your private key. You will need this password whenever you import the certificate.
  • Now that you have your PFX file, navigate to Configuration > Certificates on the controller. Give your certificate a friendly name, browse to find the PFX file, enter the private key password that was set in the previous step, select PFX as the format and select Server Cert as the certificate type. Then click Upload.
  • Now, Navigate to General on the left and select which services should use that certificate.



Is ClearPass affected by this?

  • ClearPass is not directly affected by this advisory but a few configuration tweaks need to be made when the controller/IAP/MAS captive portal certificate is changed.

What changes need to be made in ClearPass?

Version history
Revision #:
9 of 9
Last update:
‎12-20-2018 07:30 AM
Updated by:

While Public Wildcard Certificate is being looked at, is Use HTTP for authentication in

Captive Portal Authentication Profile > cp-profile-guest

a option to prevent captive portal login issue for the short term ?Capture.PNG


Yes, you can, but credentials will be sent in the clear and can easily be captured on an unencrypted SSID.

Just a short term while we look at Public Wildcard Certificate.

Thanks for the excellent timely article, much appreciated.

Hi, am generating a cert on a public CA - its asking me for server platform ?

Did you generate the CSR on the controller or external server?

If you did it on the controller, you can simply use Apache.

If you did it on an external server, you can also use Apache but you'll need
to combine the public and private key into a p12/pfx file.

Dear all,


I have 3 questions regarding the certificate replacement process :


1- In case of a cluster of 2 controlers, should the certificate be uploaded on both ?

2- Once the certificated is uploaded, is a reboot required ?

3- Is there anything to change regarding the captive portal URL or will it adapt automatically ?


Thank you all for your answers.

1- A certificate can be used across controllers, but you should check with
your security team. If you do end up going this route, the CSR must be
generated on an external device so you can export the private key.

2- No reboot is required

3- You need to select the cert for captive portal under General. No other
changes are required on the controller.



I'll take a public certificate but i have questions. For information, I have 3 controllers (not in a cluster).

- Is it possible to take a SSL UCC/SAN to securise multiple domain names ?

- May I have to generate one CSR by controller ?


Thanks for your help.



No, the options for captive portal on a controller are:

1) Same standard cert on every controller

2) Wildcard certificate

Sorry but just to be sure, i can buy only one certificate and put it on every controller ?


ps: for information, i use 802.1X with EAP terminal on my controller.


Thanks an lot.



Yes, you can, but please consult with your security team.

So, I’m one of the users that was using the default cert in production (CP is on internet-only network that doesn't touch corporate network) .  


We created a self-signed cert with OpenSSL and I put that out there on all of our controllers Friday night/Saturday morning.  


We are starting to get calls from people that can’t pull up the captive portal page – either the browser gives an error message and no option to override/trust the new cert, or doesn’t give anything, just doesn’t load.


Is there is something that needs to be done to purge the old cert, or a way to force the browsers to prompt the users to trust the new cert?


So far it isn't limited to a certain browser - complaints have come from users of IE, Chrome, and Mac/Safari.


Of course I'm not able to duplicate the issue here, and without being in front of an affected PC I can't troubleshoot.

You should use a public certificate for captive portal to avoid browser errors with users

I have 220+ controllers.  Do you suggest a separate cert for each controller, or use the same cert on each?  If it's a single cert, say "," will there be a problem with the name mismatch (as the CP redirect will be to https://controllerIP.xxxxxxx), prompting the users to proceed/trust?  If so, how is that different from them having to trust a self-signed cert?


Meaning, as of now the problem seems to be with some users that aren't getting any sort of prompt to accept/trust/install this new cert - almost as if they are still seeing the old GeoTrust that has been revoked instead of the new cert.



As noted in the FAQ, a single certificate can be used across your controllers although you should check with your security team.



the openSSL command listed above did not work for me. However, the following one allowed me to merge the public cert with the intermidiate certificate:


openssl pkcs12 -export -out mydomain.pfx -inkey mydomain.key -in

mydomain.crt -certfile intermediateCA.crt


Hope it helps,


Search Airheads
Showing results for 
Search instead for 
Did you mean: