Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here

How to replace Captive Portal SSL certificate and get NO invalid certificate complains from browser

Aruba Employee
Aruba Employee

Environment  :  General


Generate certificate request using linux and command line (DON'T generate CSR request on your controller, It's just simply not needed)


openssl req -nodes -newkey rsa:2048 -keyout securelogin.mycompany.com.key -out securelogin.mycompany.com.csr


You will be asked few things like country, company name and such. After you're done you have created CSR file and KEY file.

Go to godaddy.com and login (or create a login if not existing) and choose "Products > SSL&Security > Standard SSL > Single domain, I recommend to take at least 3 years for about 200€ Inc. Taxes. And you can use this same certificate on multiple controllers with no extra costs!

Now at certificate manage site you will be asked CSR so copy paste CONTENT of your csr file you just created.
It looks like this (Include everything)





Choose SHA2 and 2048Bits, leave everything else like it is.


Next thing is to validate your certificate request and for that you have few options.

1. Request approval to your domains admins email (You'll get an approval email with approve link)

  you can check what is your domain admins email address on WHOIS database from here http://whois.domaintools.com



2. Add an text string given you by godaddy to your website, and some Godaddy robot will check that the text string can really be found from you website.


Method 1 is faster, I got my certificate in just 3-4 hours from my request.

When you certificate is approved and generated you'll get an download link or you can login to your Godaddy acoount and download it, When you are downloding you'll be asked to choose server type, just choose "other" and download.


In the download package you get 2 files:


One is some numbers and letters.crt (example 65jheh96798.crt) and other is gd_bundle-2g.crt

You need to compine these two certificates, so open up 65jheh96798.crt and paste the WHOLE CONTENT of gd_bundle-g2.crt right after -----END CERTIFICATE-----


Now go back to linux, upload these two file on same location you have CSR and KEY file and run command


openssl pkcs12 -export -out securelogin.mycompany.com.pfx -inkey securelogin.mycompany.com.key -in 65jheh96798.crt -certfile 65jheh96798.crt

Password will be asked during generate progess, just type whatever password you want.


You have now successfully generated your pfx certificate called securelogin.mycompany.com.pfx, upload that you your computer.


Next thing is to upload certificate to your controller, so login to your controller / controllers and upload certificate Configuration > Certificates >

Give a name to your certificate and choose your .pfx file

Type in your certificates password

Format pfx

Certificate type Server cert


Now start using your new certificate and go to General and choose Captiveportal certificate as your new certificate and you're done.

If you are using external captive portal remember to change HTML code part from:

<form method="post" autocomplete="off" action="https://securelogin.arubanetworks.com/auth/index.html/u" onsubmit="return checkFormValues(this);">




<form method="post" autocomplete="off" action="https://securelogin.mycompany.com/auth/index.html/u" onsubmit="return checkFormValues(this);">


Version history
Revision #:
1 of 1
Last update:
‎07-03-2014 02:11 PM
Updated by:
Labels (1)

Is this still valid?  


We were instructed that we would need a wildcard cert because we want to use it on multiple controllers.


The wildcard cert still prompts for the cert to be accepted.  The CP page also directs to "captiveportal-login.mycompany.com"


Is the "captiveportal-login" something that is needed, or will "securelogin still: work?  Does the CP page address changed based on firmware?  Or is the address just based on the name of the cert - as in if I request to name the cert Hotspot.mycompany.com, will the CP page redirect to hotspot.mycompany.com/cgi-bin/*******?   

The captive portal FQDN is the CN of the certificate.