Security

Hi,

I am trying to change the below certificates in a master redundancy Aruba setup due to the relocation of the two controllers from one location to another. This relocation requires changing the Hostname and any other old location related names to the new name. The certificates are holding the name of the old location so accordingly, we need to change it also.

Appreciate it if you guide me on how I can do this and where to request the new certificate with the new name to be valid for use, or just changing the name in the configuration will be enough. I am new to the Aruba world so please help me.

below is the current configuration sample from the master:

web-server profile
switch-cert "xxxwc01-new"
captive-portal-cert "xxxwc01-new"

hostname "xxxwc01"
crypto-local pki TrustedCA Rock-CA-2018 Rock-CA.cer
crypto-local pki ServerCert xxxwc01-new xxxwc011_Rock_local.pfx
crypto-local pki rcp "Rock-CA-2018"
revocation-check none

aaa authentication dot1x "dot1x_prof-hhh"
ca-cert "Rock-CA-2018"
server-cert "xxxwc01-new"

Note:

The new certificate name will be inherited from the new location name as per the below:

web-server profile
switch-cert "YYYwc01-new"
captive-portal-cert "YYYwc01-new"

hostname "YYYwc01"
crypto-local pki TrustedCA Rock-CA-2018 Rock-CA.cer
crypto-local pki ServerCert YYYwc01-new YYYwc01_Rock_local.pfx
crypto-local pki rcp "Rock-CA-2018"
revocation-check none

aaa authentication dot1x "dot1x_prof-aww78"
ca-cert "Rock-CA-2018"
server-cert "YYYwc01-new"

Thanks in Advance!

The fqdns of certificates cannot be changed once the certificates are imported into the controller.  Changing the "friendly name" of the certificate also does not change anything.

I would create a CSR offline for each certificate and submit it to your certificate authority.  If you create a CSR on the controller and make a mistake, it will only allow you to import the certificate with the mistake.  I would create a CSR offline, submit it to your CA and import that server certificate into your controller.  Many of your questions about certificates on the controller are answered here:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

Thank you so much, I will try an see.

By the way, none of those certificates, except for the Management Page certificate is at all tied to DNS.  You could move the controller to another subnet and no Wlan client would ever operate differently.  The https page that you log into the controller with will give you an error if the fqdn you use or the ip address you use is not on the certificate.  Again, it will still let you into the controller.  None of the other certificates are affected by or are tied to ip addresses, really.

great, but actually I will have to change the certificate because the current certificate is having the name of the current location so when I relocate I need a new certificate with the new name, this is the customer standard.

Got it.