Question: How do I generate and sign a certificate using OpenSSL on Linux for the Aruba Instant AP?
Product and Software: This article applies to all Aruba Instant platforms and versions.
Install OpenSSL on CentOS or Fedora Linux Operating Systems
1. Install the CentOS or Fedora operating system.
2. In the terminal of CentOS or Fedora, issue the following commands to install OpenSSL:
yum install openssl
yum install openssl-devel
yum install openssl-perl
yum install gcc (optional)
Generate a Certificate in PEM Format Using the Built-in Perl Script
Issue the following commands from the /etc/pki/tls/misc directory. While issuing these commands, you will be asked questions about the country code, state, organization, etc. Answer these questions appropriately. You will also be requested for a PEM passphrase, which is used to protect the key.
1. Generate a Root CA Certificate
term#./CA.pl -newca
This command generates a cacert.pem in /etc/pki/CA directory. This is the certificate authority (CA) file. The cakey.pem file can be found in /etc/pki/CA/private directory.
2. Generate a Server Certificate
term#./CA.pl -newreq
This command generates a certificate request (csr). You will get a "newreq.pem" and "newkey.pem" file. The newreq.pem is the new request and the newkey.pem is the key generated for this request. The files newkey.pem and newreq.pem will be found in the /etc/pki/tls/misc directory.
3. Sign the Server Certificate with the Root CA
term#./CA.pl -sign
This command signs the new request with the CA. It takes "newreq.pem" and signs it against "cacert.pem", and you will get "newcert.pem". The file newcert.pem will be found in the /etc/pki/tls/misc directory.
4. Concatenate the RSA Private Key and the Signed Server Certificate
term#cat newkey.pem newcert.pem > instantservercert.pem
This command combines the signed cert with the newkey.pem generated in step 2 to produce the server certificate named instantcert.pem. The file instantservercert.pem will be found in the /etc/pki/tls/misc directory.
Aruba Instant has a requirement on this certificate: it should include the signed server certificate and the private RSA key for the certificate and the key should be put at the very beginning of the file.
5. Load the Certificate on Aruba Instant
The instantservercert.pem certificate and the cacert.pem certificate should be loaded to the certificate section in the WebUI of the Aruba Instant AP.