Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

ServerCert

This thread has been viewed 1 times

  • 1.  ServerCert

    Posted Apr 04, 2013 03:05 AM

    Hi,

     

    If I use the CSR tool in the controller GUI to obtain a ServerCert, can I use this same cert across multiple controllers for dot1x termination?

     

    I also read on here that if using the openssl method to generate the CSR, once you get the cert from the CA, you have to chain it with your privatekey before you can upload to the controller. How come chaining of the private key is not needed if using the built in CSR tool in the controller GUI?

     

    https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-772

     

    Thanks,

    ckc



  • 2.  RE: ServerCert

    EMPLOYEE
    Posted Apr 04, 2013 05:23 AM
    @ckc527 wrote:

    Hi,

     

    If I use the CSR tool in the controller GUI to obtain a ServerCert, can I use this same cert across multiple controllers for dot1x termination?

     

    I also read on here that if using the openssl method to generate the CSR, once you get the cert from the CA, you have to chain it with your privatekey before you can upload to the controller. How come chaining of the private key is not needed if using the built in CSR tool in the controller GUI?

     

    https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-772

     

    Thanks,

    ckc

    You can use it across multiple controllers, yes.

     

    Like the article states, you must do chaining if the server certificate was issued from an intermediate CA, because it might not be trusted by your workstations.  That is certainly an advanced topic.

     



  • 3.  RE: ServerCert

    Posted Apr 04, 2013 02:00 PM

    Sorry, I'm still new at PKI so need some more clarifications. I'm confused between the two methods of generating a CSR, i.e. via the controller GUI vs. OpenSSL.

     

    With the controller GUI, you generate the CSR using the tool, submit it to your CA and upload the cert to the controller.  With OpenSSL, you generate the CSR w/ a private key, submit it to your CA, chain the cert and private key together then upload to the controller. How come the private key need to be chained w/ the cert using OpenSSL method but not with the GUI method?

     

    Also, are all the private keys the same on all controllers?

     

    Thanks,

    ckc

     

     



  • 4.  RE: ServerCert
    Best Answer

    EMPLOYEE
    Posted Apr 04, 2013 02:04 PM

    Okay.

     

    Now I understand.

     

    The controller does not export the private key, so when you generate the CSR, after you get the server cert, it must match the private key in the controller.  That means you cannot copy the same certificate to multiple controllers when using that method.

     

    With OpenSSL, since you have control over the private key, you should be able "technically" to upload it to multiple controllers (as long as you have not generated a CSR with the controller).

     

    I apologize for the confusion.



  • 5.  RE: ServerCert

    Posted Apr 04, 2013 02:26 PM

    Thank you. Now I'm clear on which method I must use.

     

    ckc