Managing Certificates

The Mobility Conductor is designed to provide secure services through the use of digital certificates A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth.. Certificates A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth. provide security when authenticating users and computers and eliminate the need for less secure password-based authentication.

This section describes the following topics:

Starting from ArubaOS 8.0.1.0, Mobility Conductor and managed devices generate a default certificate (controller-issued server certificate) to demonstrate the authentication of the managed device for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. and WebUI management access while booting. The controller-issued server certificate is used as the default certificate for WebUI authentication, 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. termination, and SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts..

The default-self-signed server certificate in ArubaOS 8.0.0.0 is changed to controller-issued server certificate in ArubaOS 8.0.1.0.

Aruba strongly recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.. This section describes how to generate a CSR Certificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate. to submit to a CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. and how to import the signed certificate received from the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. into the managed device.

The managed device supports client authentication using digital certificates A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth. for specific user-centric network services, such as AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. FastConnect, VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. (see Virtual Private Networks), and WebUI and SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. management access. Each service can employ different sets of client and server certificates.

During certificate-based authentication, the managed device provides its server certificate to the client for authentication. After validating the server certificate of the managed device, the client presents its own certificate to the managed device for authentication. To validate the client certificate, the managed device checks the CRL Certificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. maintained by the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. that issued the client certificate. After validating the certificate of the client, the managed device can check the user name in the certificate with the configured authentication server (this action is optional and configurable).