Aruba Central Online Help

Certificates

By default, Aruba Central includes a self-signed certificate that is available on the Certificates page. The default certificate is not signed by a root certificate authority (CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.). For devices to validate and authorize Aruba Central, administrators must upload a valid certificate signed by a root CA.

Aruba devices use digital certificatesA digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth. for authenticating a client's access to user-centric network services. Most devices such as controllers and Instant APs include a server certificate by default for captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server authentication. However, Aruba recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CA. Certificates can be stored locally on the devices and used for validating device or user identity during authentication.

Aruba Central-managed devices such as Instant AP and switches support the following root CA certificates:

Instant APs

Switches

  • AddTrust
  • GeoTrust
  • VeriSign
  • Go Daddy
  • Comodo
  • GeoTrust

Uploading Certificates

To upload certificates, complete the following steps:

  1. In the Network Operations app, set the filter to Global.
  2. Under Maintain, click Organization.
  3. Select the Certificates tab.

    The Certificates page opens.

  4. Click the plus icon to add the certificate to the certificate store.
  5. In the Add Certificate dialog box, do the following:
    1. In the Name text box, specify the certificate name.
    2. Select the type of certificate. You can select any one of the following certificates:
    3. From the Format drop-down list, select a certificate format; for example, PEM, DER, and PKCS12.
    4. In the Passphrase text box, enter a passphrase.
    5. In the Retype Passphrase text box, retype the passphrase for confirmation.

      The Passphrase and Retype Passphrase text boxes are displayed only when you select Server Certificate from the Type drop-down list.

    6. In the Certificate File field, click Browse and select the certificate files.
    7. Click Add. The certificate is added to the Certificate Store.

Managing Certificates on Instant APs Configured Using Templates

Aruba Central supports uploading multiple certificates to Instant APs configured using templates. You can manage certificates either from the Aruba Central UI or through the APIApplication Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. Gateway. For more information about APIs, see API Documentation.

To push certificates to Instant APs configured using templates:

  1. Upload certificate(s) through one of the following methods:
  2. Get the certificate name and MD5Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. checksum through one of the following methods:
    • UI—In the Network Operations app, filter All Devices. Under Maintain, click Organization and select the Certificates tab. The Certificate Store table displays these details.
    • API—Use the [GET] /configuration/v1/certificates API.
  3. In the template, anywhere before the per-ap settings block, depending on your requirement, add one or more of the following commands:
    ca-cert-checksum <ca_cert_checksum/ca_cert_name> cp-cert-checksum <captive_portal_cert_checksum/captive_portal_cert_name> radsec-ca-checksum <radsed_ca_checksum/radsed_ca_name> radsec-cert-checksum <radsed_cert_checksum/radsed_cert_name> server-cert-checksum <server_cert_checksum/server_cert_name>

    You can either use the certificate name or the checksum value in the command. Or, you can set it as a variable and enter the variable value for the Instant AP. Aruba recommends using the certificate name.

Example 1

ca-cert-checksum my_default_cert

Example 2

ca-cert-checksum %ca_cert_name% variable: { "ca_cert_name": "my_default_cert" }