Authentication Certificates

A certificate is a digital file that certifies the identity of the organization or products of the organization. It is also used to establish your credentials for any web transactions. It contains the organization name, a serial number, expiration date, a copy of the certificate-holder's public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient., and the digital signature of the certificate-issuing authority so that a recipient can ensure that the certificate is real.

There is a default server certificate installed in the controller to demonstrate the authentication of the controller for Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. and WebUI management access. However, this certificate does not guarantee security in production networks. Aruba strongly recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate..

Instant supports the following certificate types in either PEM or DER format:

Uploading Public Certificates

Public certificates must be bundled with the intermediate certificate, root certificate, and the private key The part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender. issued by the certificate authority to be supported by the Instant AP. The system will reject the public certificate if it is not bundled with the supporting certificates and the private key The part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender.. Use the following procedure to bundle public certificates for Instant APs:

  1. Open the certificate file using a text editor.
  2. Copy and paste the Intermediate certificate, root certificate, and the private key The part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender. below the certificate in the following order:
    1. Certificate
    2. Intermediate certificate
    3. Root certificate
    4. Private key
  3. Save the certificate file.

Ensure that there are no blank spaces or blank lines in the certificate file.

Installing Certificates on the Instant AP

Certificates must be imported and assigned to an application to take effect. This allows you to install and use third party certificates for specific applications. This feature is currently available only in Instant networks that are managed locally and is not supported in Central, or AirWave deployments.

Certificates can be assigned to applications using the WebUI or CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. Applications can be configured with one or more certificates, if required. In cluster configurations, certificate import and assignment can be carried out only on the conductor AP.

Central and AirWave deployments will continue to use the legacy method of installing certificates.

Since Central does not support this feature, ensure that the wlan Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. cert-assignment-profile and the installed certificates are removed on the AP before connecting it to Central. The AP might fail to provision if the application assignment and certificates are not removed.

This section contains the following procedures:

Managing Certificates in the WebUI

The following procedures describe how to import, assign and remove certificates on the Instant AP:

  1. To import certificates to the Instant AP:
    1. Navigate to the Maintenance > Certificates page.
    2. To upload a certificate, click Upload New Certificate. The New Certificate window is displayed.
    3. Click Browse and select the appropriate certificate file you want to upload.
    4. In the Certificate name text box, enter a name for the certificate.
    5. Select the certificate type from the Certificate type drop-down list. You can select any of the following certificate types:
      1. Public—Public key certificate
      2. Server—Server certificate
      3. Trusted CACA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate to validate the identity of the client.
      4. Client—Client certificate
    6. Select the certificate format from the Certificate format drop-down list.
    7. If you have selected Public, Server, or Client as the Certificate Type, enter a passphrase in Passphrase and confirm the passphrase in the Retype Passphrase field. If the certificate does not include a passphrase, there is no passphrase required.
    8. Click Upload Certificate to complete the certificate upload.
  2. To assign certificate for an application:

    1. Navigate to the Maintenance > Certificates page.
    2. Click on Certificate Usage.
    3. Click on the + icon to assign certificates to an application. The New Certificate Assignment window is displayed.
    4. Select the application you want to assign a certificate from the Application drop-down list.
    5. Select the certificate type from the Certificate type drop-down list.
    6. Select the certificate name from the Certificate name drop-down list.
    7. Click OK to assign the certificate to the application.
  3. To delete a certificate assigned to an application:

    1. Navigate to the Maintenance > Certificates page.
    2. Click on Certificate Usage.
    3. Select the certificate assignment you want to delete and click on delete.
    4. Click OK to delete the certificate assignment.

Managing Certificates in the CLI

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command imports a certificate to the AP:

(Instant AP)#crypto pki-import

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command assigns certificates for an application:

(Instant AP)(config)#wlan cert-assignment-profile

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command removes a certificates on an AP:

(Instant AP)#crypto pki-remove

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command shows certificates installed on the AP:

(Instant AP)#show cert assignment

For more information, see Aruba Instant 8.x CLI Reference Guide.

Loading Certificates Through AirWave

You can manage certificates using AirWave. The AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. directly provisions the certificates and performs basic certificate verification (such as certificate type, format, version, serial number, and so on) before accepting the certificate and uploading to an Instant AP network. The AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. packages the text of the certificate into an HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. message and sends it to the virtual controller. After the virtual controller receives this message, it draws the certificate content from the message, converts it to the right format, and saves it on the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

To load a certificate in AirWave:

  1. Navigate to Device Setup > Certificates and then click Add to add a new certificate. The Certificate window is displayed.
  2. Enter the certificate Name, and click Choose File to browse and upload the certificate.
  3. Select the appropriate Format that matches the certificate filename.
  4. Select Server Cert for certificate Type, and provide the passphrase if you want to upload a server certificate.
  5. Select either Intermediate CA or Trusted CA certificate Type, if you want to upload a CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate.
  6. After you upload the certificate, navigate to Groups, click the Instant Group and then select Basic. The Group name is displayed only if you have entered the Organization name in the WebUI. For more information, see Configuring Organization String for further information.

    The Virtual Controller Certificate section displays the certificates (CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. cert and Server).

  7. Click Save to apply the changes only to AirWave. Click Save and Apply to apply the changes to the Instant AP.
  8. To clear the certificate options, click Revert.

Loading Customized Certificates from AirWave

AirWave also provides users with the option of uploading customized certificates on the Instant AP. The customized certificate is uploaded on AirWave and then pushed to the Instant AP from the AirWave UI User Interface..

  • Before uploading the new customized certificate, ensure that you uninstall any existing customized certificates on the Instant AP:

(Instant AP)# clear-cert-airwaveca

  • Upload the customized certificate to AirWave and push it to the Instant AP. Refer to Loading Certificates Through AirWave
  • Once the new customized certficate is uploaded to the Instant AP, verify the certfication installation using the following command:

(Instant AP)# show ap checksum

Perform these steps after you have verified that the new customized certificate is successfully installed on the Instant AP:

  1. Delete PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access.  configuration from the Instant AP using the following command:

    (Instant AP)(config)# no ams-key

  2. Add a DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. server and link the AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. IP address with the domain name of the new customized certificate.
  3. Configure the AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. IP address.

    (Instant AP)(config)# ams-ip <domain_name>

  4. In the AirWave UI User Interface., navigate to AMP Setup > General > Aruba Instant Options > Change SSL Change and click Change. Ensure you delete the ams-key for cert-only mode or cert and psk mode.
  5. Add the Instant AP to AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. again.

Automatic Update of CA Certificate Bundle

The CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle on the AP is updated automatically when a new version of CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle is available on Activate. In addition to automatic updates, a new CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command is introduced to manually trigger the update. The CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle update can only be triggered using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command triggers the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle upgrade on the AP:

(Instant AP)# ca-bundle update

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the version details of CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle on the AP:

(Instant AP)# show ca-bundle version

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the upgrade status of the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle:

(Instant AP)# show ca-bundle upgrade status

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command resets the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle to the factory default version:

(Instant AP)# ca-bundle reset