Wireless Access

Contributor I

Multiple Controllers, One CA Certificate

Hi everyone,


I hope you can help me with this issue...


I have 6 Controllers over the network, and I have only one VeriSign certificate who is working right (this is working in Captive Portal), I want to deploy the same certificate in the other controllers, but when I try to upload it , the "Error Uploading Certificate: Cert public key did not match the private key in the CSR store" message error apears..


How can I do that?





Aruba Employee

Re: Multiple Controllers, One CA Certificate

When you generate a CSR (certificate signing request) on a controller, a private key and a public key are generated. The private key is local to the controller and it is the public key that is sent to verisign for signature. When you load this certificate on another controller,it wont have the private key pair for this certificate and this is the reason you see this error.  If you have 6 controllers you will need seperate certificates.


Note: Remeber the certificate comman name is matched to the domain name of the controller. So if the certificate comman name is x.company.com you should login to x.company.com to eliminate the certificate warning message seen on user browser. If you login to the controller with its IP instead of x.company.com you will still see the warning. If your purpose is to eliminate the certificate warning message seen on user browser you will need seperate certificates.




Re: Multiple Controllers, One CA Certificate

On one occation I have generated a new certificate for the same domain name using a different CSR. If Verisign allows that you should be able to follow the procedure below.


This is cut from a previous post by Jon Greene


My advice would be that you NOT generate the CSR on the controller, because we specifically make it very difficult (if not  impossible) to get the private key off the controller.
If you want to use the same certificate on multiple controllers, I would suggest following this workflow:

1. Find a Unix box with OpenSSL on it
2. Generate the private key
3. Generate the CSR, using your desired hostname as the CN
4. Get the certificate from the CA
5. Put the certificate and private key back together as a PFX / PKCS#12 file, which will be password protected
6. Load the resulting file on all your controllers

There are lots of resources online to tell you how to do these common OpenSSL operations.  The one I typically refer to is here: 

I'll cut and paste the important bits:

* Generate a new private key and Certificate Signing Request
 * openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

* Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
 * openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Jon Green, ACMX, CISSP
Product Manager, Security
Aruba Networks



John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: