Wireless Access

Hi Guys,

 

As we know that, the "securelogin.arubanetworks.com" certificate has been revoked by GeoTrust as it was compromised.

 

But is Aruba team has any intention to replace a new cert or self-signed cert like IAP in future OS release except suggesting the users to swap to private cert/public cert as resolution?

 

Thanks.

 

A public cert is always recommended for captive portal authentication. Self-signed certs are generated for the web UI using the common name instant.arubanetworks.com

Hi Cappalli,

 

I understand public cert/ own private cert is recommended for deployments. But there are still some SME users are adapted to the securelogin cert for easy setup since;

 1. they do not have any CA server running in current

 2. they have no intention to purchase a public cert for aruba as this is an additional cost for them.

3. Captive portal is only for their internal guest usage so they are fine with it.

 

Thus, I am wondering is Aruba has intention re-insert a new cert or changed it to self-sign cert like IAP which controller do not have in current??

 

It would be useful for every existing customer that sticking to the securelogin cert.

 

If you don't use a public certificate, guest users will receive a certificate error. No internal PKI environment is required. A public cert can be acquired for $10-$30.

Please read my question above your post... I just cant figure it out... And i have a public cert that i would like to use it on internal captive , i uploaded it to the controller and choose it.. buy still getting an error .. because its must be with the same common name... What in doing wrong?

Kdisc,

Can you create a new thread? Hard to follow both sets of questions.

Yes, correct.

Thus securelogin cert is work flawlessly for users until the revocation in recent.

 

I know a public / private server from own CA is always recommended than using the aruba default cert.

But still, don't Aruba team have intention to replace this or offering any alternate solution like self-signed as IAP do since the securelogin cert been offered over the years and now suddenly it is gone.

Self-signed certificates will be generated in new versions of code but client devices will still throw errors due to it being self-signed.

Hi Cappalli,

 

Thanks. Do you have idea which code release it would be?

On the controller side, it was 6.5.0.1. I'll try and find out for Instant.

In the meantime, a self-signed cert can be easily generated by anyone and uploaded to the VC. Instructions are provided in the FAQ.

Hi Cappalli,

 

Thanks for your quick response on the controller part.

then i will wait for the 6.5.1 release note.

 

Hi guys,

I tried to update IAP204-205 version to release 6.5.0.0-4.3.0.0 and saw a new certificate on the AP's. It can be a solution but some of deployed AP's don't have the release 6.5.0.0-4.3.0.0 update in the download page ( such as IAP104-105). You can try it if you don't have theese kind of AP's.

Before Update

Default Server Certificate:

Version       :3

Serial Number :01:DA:52

Issuer        :/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA

Subject       :/serialNumber=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF/C=US/O=securelogin.arubanetworks.com/OU=GT28470348/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R) Premium/CN=securelogin.arubanetworks.com

Issued On     :May 11 01:22:10 2011 GMT

Expires On    :Aug 11 04:40:59 2017 GMT

Signed Using  :SHA1-RSA

RSA Key size  :2048 bits

 

Default CP Server Certificate:

Version       :3

Serial Number :01:DA:52

Issuer        :/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA

Subject       :/serialNumber=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF/C=US/O=securelogin.arubanetworks.com/OU=GT28470348/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R) Premium/CN=securelogin.arubanetworks.com

Issued On     :May 11 01:22:10 2011 GMT

Expires On    :Aug 11 04:40:59 2017 GMT

Signed Using  :SHA1-RSA

RSA Key size  :2048 bits

 

After Update :

kucuksistemodasi# show cert

 

Default Server Certificate:

Version       :3

Serial Number :B0:AF:C2:6A:09:93:85:18

Issuer        :/C=US/ST=California/O=Aruba Networks/OU=Instant/CN=securelogin.arubanetworks.com

Subject       :/C=US/ST=California/L=Sunnyvale/O=Aruba Networks/OU=Instant/CN=securelogin.arubanetworks.com

Issued On     :Sep  9 04:58:42 2016 GMT

Expires On    :Sep  8 04:58:42 2020 GMT

Signed Using  :SHA256-RSA

RSA Key size  :2048 bits

 

Default CP Server Certificate:

Version       :3

Serial Number :B0:AF:C2:6A:09:93:85:18

Issuer        :/C=US/ST=California/O=Aruba Networks/OU=Instant/CN=securelogin.arubanetworks.com

Subject       :/C=US/ST=California/L=Sunnyvale/O=Aruba Networks/OU=Instant/CN=securelogin.arubanetworks.com

Issued On     :Sep  9 04:58:42 2016 GMT

Expires On    :Sep  8 04:58:42 2020 GMT

Signed Using  :SHA256-RSA

RSA Key size  :2048 bits

 

Device Certificate:

Version       :3

Serial Number :62:3B:15:0A:00:00:00:0F:83:71

Issuer        :/UID=com/UID=arubanetworks/UID=dc-device-ca5/CN=device-ca5

Subject       :/CN=CK0026803::ac:a3:1e:c5:8c:10

Issued On     :Sep 24 18:48:05 2014 GMT

Expires On    :Sep 14 03:21:14 2032 GMT

Signed Using  :SHA1-RSA

RSA Key size  :2048 bits

 

Best Regards,

Hakan UZUNCA

Hi Cappalli,

 

just a quick question.

Is the upcoming patch for certification including 6.3 and 6.4 as well? because some legacy AP is not supporting AOS6.5.

I'm not sure. I will try to find out.



Just generate a self-signed cert and add it to the controller/VC.

Hi Cappalli,

 

Alright. thanks!

Starting in 4.2.4.3 and 4.3.0.0, there will be a pre-loaded self-signed certificate.

Hi Cappalli,

 

Is this documented in aruba KB or website?

I tried to look for this info in Instant 4.3.0.0 release note but it is not listed.

 

 

Except the instructions dont work. I've tried them. Getting tired of trying different methods and no one has a clear answer or instructions that worked for me.

Are you using a public, private or self-signed cert?

I dont have any certs yet. Trying to create one. A self-signed id like to use. All the different instructions I've tried do not work. On my VC I only have a CA or auth server option. So I even tried creating a linux server and setup my own CA to create a private key, public cert, and intermediate root certificate. Using CAT to combine them in the order shown in the instructions here >https://community.arubanetworks.com/t5/Controller-less-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Instant/ta-p/275814

If you upgrade to Instant 4.2.4.3, it will automatically create a self-signed certificate...

 

 

As stated a few times already, it is highly unlikely that Aruba will get a new public certificate for inclusion in the product. I agree it was convenient, but there will not be a new one. Even if there would be a new one, the risk that the new certificate would be revoked in short-term is near to 100%.

 

If cost is the reason not to get a certificate, and you can get certs for as less as $10 per year, you may consider one of the free Certificate Authorities that are out there. Three that come up to my mind, are StartSSL, WoSign and Let's Encrypt, that give out respectively 1 year, 3 year and 90 day publicly trusted certificates at zero cost. You just need a domain-name for that. Those free CA's may not give you the same trust, or client support as the paid Certificate Authorities, I found that for most lab usage they work pretty well, and I have not experienced issues with them.

 

But a public cert must us common name ... Of a domain name. and the Captive portal is located internally and user redirected to it via ip address .
Even if i choose the public cert users getting error because the public cert is assigened to a domain name.

Please advise

Any domain name can be used for the captive portal cert. It doesn't actually have to resolve to anything.

If you are going to acquire a public cert, no CA is going to allow anyone but the rightful owner of arubanetworks.com to get a cert with a common name that includes arubanetworks.com.

 

Can you expand on how to resolve this issue w.r.t. an internal captive portal cert on an IAP?  I suppose simplest would be to change the captive portal URL from securelogin.arubanetworks.com to something else.  Is this possible?  (looked and have not found).  Thanks for your help with this.

You would get a cert for your own domain. Take a look at the FAQ. Everything is covered there.