Hey everyone. Aruba newbie here.

I have seen diffrent methods on how to install a signed certificate for the Aruba Airwave UI. But they all seem a bit much. 

I have a certificate and want the green mark in the browser windows (-:, 

Just upgraded to the latest version 8.2.6, and in CLI i see option 9 security--> and -->3  Add SSL Certificate, but the only option after this is "c" cancel.

Anyone know the simplest method to achieve this ?

Thanx

Hi,

Follow below artilce to install certificate in 8.2.4 and above version.

http://community.arubanetworks.com/t5/Monitoring-Management-Location/How-to-install-a-SSL-certifcate-in-AMP-8-2-4/ta-p/311148

If you're just installing a SSL cert, then you can use the above path.  In 8.2.6, we added a new path.

Security
1 Reset Web admin Password
2 Change OS User Password
3 Add SSL Certificate
4 Add DTLS Certificates
5 Enable FIPS (requires reboot)
6 Show EngineID
7 Module Key
8 Apply STIGs
9 Set MaxAuthTries value for sshd
10 Make OCSP Optional
11 Generate Certificate Signing Request
12 Install Signed Certificate

Using option 11 under the security menu, you can generate a CSR, then submit that CSR to the signing authority.  When you get the resulting cert, you'll upload it using the upload option off the main menu.  Then install the cert using option 12 under the security menu - NOTE: The file must be in PEM format with the filename extension ".crt"

Is it possible to specify a SAN when generating the CSR in the new CLI?

Regards,

JoeB

Do you upload a single PEM file with the cert and intermediate/roots too?

TIA.

@joebunk

We don't currently support generating SAN Cert through this CSR process.  That'd be a feature request currently.

@su_A_ve

If you're doing the CSR route, you don't have an option to make changes to the resulting PEM file.  But if you're going the SSL route, then the pkcs12 file you upload should have the cert and intermediates combined.

How can I install a wildcard cert for our domain in so that Airwave will use it for the web interface?  I've got the cert into the system but I haven't yet found where to enable it.  (I may not have the cert in correctly, so if there's a specific way to get it working, please describe!)

Thanks.

PH

Is the wildcard cert generated based on a CSR?  Or is it an SSL wildcard cert?

If it's SSL -> then Security -> Add SSL, it'd replace any pre-existing SSL, so if you're trying to add it, you'd have to combine your pre-existing SSL to the wildcard before adding.

If it's CSR, then you use the Security -> Install CSR cert option.

This is a wildcard cert.  I've been able to upload the files to the box.  Although I can not use '1 Upload File' when I give the SCP server user and file/path, it just gives a generic failed error code. I had to set up to push with sftp using 8 Advanced, 7 Add File Tranfer User.

Anyway, 9 Security - 3 SSL Certificate lists the certificate file, but no matter how I have formatted the file so far, I keep getting an error.

The file must be in PKCS12 format with ".pfx" or ".p12" filename extension and should contain both the private RSA key and the certificate.)
  1  test.pfx           6,233 bytes  2018-11-20 11:53:07
  c  >> Cancel
Your choice: 1
Enter PKCS12 password:
Error: PKCS12 bundle must contain RSA key.

What might I be doing wrong here?

Another quick note.  I was able to use the certificate for Security 4 - Add DTLS Certificates and it went through, although that prompt doesn't say anything about the RSA key anyway, just the private key, root certs and intermediate.

The error statement says that the cert bundle is missing the RSA key.

DTLS certs aren't the same as regular SSL certs.  SSL certs are for communication to the AMP UI through httpd and nginx.  While DTLS certs is for secure AMON that uses a different communication route created specifically for that feature.

Hey Rob,

That's the question - why doesn't the system see the RSA key?  I have used several methods to create the bundle I include the key with them each time.  Is there a specific procedure to getting the bundle put together for a wildcard cert that I could use to get this working?

I've imported the same cert w key in the GUI under Device Setup - Certificates without an error, but I can't seem to tell it to use that cert for the HTTPS traffic.

Note that I can also attempt to import the cert without the key on the GUI and I get the Certificate file is missing private key error as expected.  The one with the key imports and shows up properly here, but gives the RSA error on the CLI.  Is it time for a support ticket?

Validations are different between UI and CLI.  Probably best to open a TAC case at this point.

FYI - my issue was resolved.  There was a bug:

bug #DE32144 in 8.2.7.1 version, patch file was released.

TAC applied the patch and recompiled the software, and the certificate is now active.  

Thanks for the help.

what if you use a 3rd party cert management tool to handle the CSR and you need to install both the cert and private key? I download both in the PEM file but you mention the file to install needs to just be the identity cert 9.crt). Can I also get the private key and root chain installed in some way using option 11? 

That'd be a feature request to handle that scenario.  We do have our own CSR route built, but not one that takes an external CSR private key.

If you need to go that route, support can assist to put the pieces into place, but a feature request should still be submitted.

Hi ,

I have Airwave version 8.2.11.2 and I have wildcard certs. which I uploaded via GUI and it's in pfx format. All went well. but still, my UI is showing an unsecured warning. I have seen all thread. followed all steps. 

Even went into AMP setup and added certificate to authenticate and converted my pfx to PEM and copy ,pasted the certificate. no luck .

what am I missing? why Arba manual or UI is so confusing.  CLI is another level of complexity. 

Airwave 8.3.0.1 SSL Wildcard Certificate Upload

• Add File Transfer User
• Upload wildcard .pfx certificate to Airwave Server to /var/ampcli/user
• Login to Airwave CLI via SSH with User ampadmin
• 3  Configuration >
• 4  Certificates >
• 1  Add SSL Certificate
• 1  certificate.pfx <- select your certificate
• Enter Password for your certificate
• Enable and restart Web UI