Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Installing Certificates on MD with ArubaOS 8

This thread has been viewed 116 times

  • 1.  Installing Certificates on MD with ArubaOS 8

    Posted Dec 07, 2018 07:43 AM

    So I was trying to install a new publicly signed certificate onto an MD. When I logged into the MD itself, I was able to generate a CSR. However, when I tried to install the cert directly onto it, I got the following message:

     

    "This controller is managed by a Mobility Master. Configuration changes can only be performed on the Mobility Master."

     

    So I tried to install the same cert onto the Mobility Master and I got this message:

     

    "Cert public key did not match the private key in the CSR store."

     

    So finally, I regenerated the CSR on the mobility master and was able to install the cert onto the MD from there.

     

    My question is, is this the only way to install certificates onto MDs in 8.0? It seems cumbersome that you can only generate CSRs and install certs to one MD at a time since generating a new CSR on the mobility master overwrites the previous one. On the 6.x code I was able to do this on different controllers at the same time by logging into each controller and generating CSRs on them, then installing the certs directly to them, but the 8.0 code wont let me install the certs onto the MDs.



  • 2.  RE: Installing Certificates on MD with ArubaOS 8

    Posted Dec 07, 2018 09:22 AM
    Try using OpenSSL to generate the CSR
    https://www.ssl.com/how-to/manually-generate-a-certificate-signing-request-csr-using-openssl/





    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 3.  RE: Installing Certificates on MD with ArubaOS 8

    Posted Dec 12, 2018 12:17 PM

    As per ArubaOS 8.0.1, Mobility Master and managed devices generate a controller-issued server certificate.

     Steps:

    1.Generate a Certificate Signing Request (CSR) on the managed device

    2•Submit the CSR to a CA

    3•Get the signed server certificates (Public and Private)

    4•Install the server private certificate

    5•The client downloads the public certificate

    try with below steps:In the WebUI
    1. In the Managed Network node hierarchy, navigate to Configuration > System > Certificates.
    2. In the Import Certificates table click +.
    3. For Certificate Name, enter a user-defined name.
    4. For Certificate Filename, click Browse to navigate to the appropriate file on your computer.
    5. If the certificate is encrypted, enter and repeat the passphrase.
    6. Select the Certificate Format from the drop-down list.
    7. Select the Certificate Type from the drop-down list.
    8. Click Submit.



  • 4.  RE: Installing Certificates on MD with ArubaOS 8

    Posted Jan 03, 2019 10:23 AM
    @Sureshreddy wrote:

    As per ArubaOS 8.0.1, Mobility Master and managed devices generate a controller-issued server certificate.

     Steps:

    1.Generate a Certificate Signing Request (CSR) on the managed device

    2•Submit the CSR to a CA

    3•Get the signed server certificates (Public and Private)

    4•Install the server private certificate

    5•The client downloads the public certificate

    try with below steps:In the WebUI
    1. In the Managed Network node hierarchy, navigate to Configuration > System > Certificates.
    2. In the Import Certificates table click +.
    3. For Certificate Name, enter a user-defined name.
    4. For Certificate Filename, click Browse to navigate to the appropriate file on your computer.
    5. If the certificate is encrypted, enter and repeat the passphrase.
    6. Select the Certificate Format from the drop-down list.
    7. Select the Certificate Type from the drop-down list.
    8. Click Submit.

    When I do this I get a message saying that the private keys don't match. It seems as if I need to generate the CSR on the mobility master rather than on the MD itself.
     



  • 5.  RE: Installing Certificates on MD with ArubaOS 8

    Posted Apr 28, 2020 03:16 PM

    Are there any updates on this?

    Im currently having the same exact issue. The fix action that was suggested isn’t the fix action. I’m hoping that I don’t have to somehow remove the Controller from the cluster and Managed devices in order for me to add the certificate, as my controllers needing the CSR cert installed are all in the production environment 



  • 6.  RE: Installing Certificates on MD with ArubaOS 8

    MVP GURU
    Posted Apr 28, 2020 03:31 PM

    If you use openssl to generate the CSR, you wont have to worry about mismatching keys. The key gets stored when you generate the CSR on the device, and will keep it there until you generate another CSR. You will then make sure that your certificate includes the private key, and you should be able to import it. Your certificate should be constructed like the example below.

     

    -----BEGIN RSA PRIVATE KEY-----
    (Your Private Key: your_domain_name.key)
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    (Your Primary SSL certificate: your_domain_name.crt)
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    (Your Intermediate certificate: IntermediateCA.crt)
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    (Your Root certificate: TrustedRoot.crt)
    -----END CERTIFICATE-----

     

     



  • 7.  RE: Installing Certificates on MD with ArubaOS 8

    EMPLOYEE
    Posted Apr 28, 2020 04:53 PM

    If you want to use a CSR generated on the devices within the MM infrastructure, be aware the the private key gets generated at the time the CSR was created and gets saved on the device.

    Here are the steps to get a server certificate on a given MD:

    1. Login to the MM and navigate to the MD device folder in the hierarchy

    2. Go to Configuration > System > Certificates

    3. Create a CSR destined to that MD

    4. Copy and paste the CSR into a file and upload it to your Certificate Authority

    5. Once you have a signed certificate, import it to the MM while in the same device hierarchy.

    6. Once you apply the changes, the certificate will show up on the MD.

     

    Another way is to create a CSR outside the Aruba infrastructure and combine the private key with the signed cert into the same PEM file, or as a PKCCS12/PFX binary format and upload to the appropriate MD.

     



  • 8.  RE: Installing Certificates on MD with ArubaOS 8

    Posted Aug 11, 2021 12:56 PM
    When we generated the cert using 3rd party software like openssl we had intermittent complaints from end users of our guest wireless getting cert errors on our captive portal. Also would get chrome sending users to the push button to connect to internet page. Once we generated a cert using the Mobility Master CSR process we never had a problem after that. Now it's time to renew do you know if I generate a new CSR will it cause any issues with production until we get the new cert installed.  You mentioned something about saving the private key on the MD.

    ------------------------------
    Kelly L
    ------------------------------

    Original Message