Aruba Instant 8.7.0.0 Online Help Center Help Center
You are here: Home > Aruba Instant User Guide > Table of Contents > Authentication Certificates

Authentication Certificates

A certificate is a digital file that certifies the identity of the organization or products of the organization. It is also used to establish your credentials for any web transactions. It contains the organization name, a serial number, expiration date, a copy of the certificate-holder's public keyThe part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient., and the digital signature of the certificate-issuing authority so that a recipient can ensure that the certificate is real.

There is a default server certificate installed in the controller to demonstrate the authentication of the controller for Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. and WebUI management access. However, this certificate does not guarantee security in production networks. Aruba strongly recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate..

Instant supports the following certificate types in either PEM or DER format:

Uploading Public Certificates

Public certificates must be bundled with the intermediate certificate, root certificate, and the private keyThe part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender. issued by the certificate authority to be supported by the Instant AP. The system will reject the public certificate if it is not bundled with the supporting certificates and the private keyThe part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender.. Use the following procedure to bundle public certificates for Instant APs:

  1. Open the certificate file using a text editor.
  2. Copy and paste the Intermediate certificate, root certificate, and the private keyThe part of a public-private key pair that is always kept private. The private key encrypts the signature of a message to authenticate the sender. The private key also decrypts a message that was encrypted with the public key of the sender. below the certificate in the following order:
    1. Certificate
    2. Intermediate certificate
    3. Root certificate
    4. Private key
  3. Save the certificate file.

Ensure that there are no blank spaces or blank lines in the certificate file.

Installing Certificates on the Instant AP

Starting from Aruba Instant 8.7.0.0, certificates must be imported and assigned to an application to take effect. This allows you to install and use third party certificates for specific applications. This feature is currently available only in Instant networks that are managed locally and is not supported in Central, or AirWave deployments.

Certificates can be assigned to applications using the new WebUI or CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. The old WebUI does not allow application assignment. Applications can be configured with one or more certificates, if required. In cluster configurations, certificate import and assignment can be carried out only on the master AP.

Central and AirWave deployments will continue to use the legacy method of installing certificates.

Since Central does not support this feature, ensure that the wlanWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. cert-assignment-profile and the installed certificates are removed on the AP before connecting it to Central. The AP might fail to provision if the application assignment and certificates are not removed.

This section contains the following procedures:

Managing Certificates in the WebUI

The following procedures describe how to import, assign and remove certificates on the Instant AP using the WebUI.

Table 1: Loading Certificates in the WebUI

New WebUI

Old WebUI

To import certificates to the Instant AP:

  1. Navigate to the Maintenance > Certificates page.
  2. To upload a certificate, click Upload New Certificate. The New Certificate window is displayed.
  3. Click Browse and select the appropriate certificate file you want to upload.
  4. Enter a name for the certificate in the Certificate name text box.
  5. Select the certificate type from the Certificate type drop-down list. You can select any of the following certificate types:
    1. Public—Public key certificate
    2. Server—Server certificate
    3. Trusted CACACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate to validate the identity of the client.
    4. Client—Client certificate
  6. Select the certificate format from the Certificate format drop-down list.
  7. If you have selected Public, Server, or Client as the Certificate Type, enter a passphrase in Passphrase and confirm the passphrase in the Retype Passphrase field. If the certificate does not include a passphrase, there is no passphrase required.
  8. Click Upload Certificate to complete the certificate upload.
  1. Click the Maintenance link located directly above the Search bar in the Instant main window.
  2. Click the Certificates tab. The Certificates tab contents are displayed.
  3. To upload a certificate, click Upload New Certificate. The New Certificate window is displayed.
  4. Browse and select the file to upload. Select any of the following types of certificates from the Certificate type drop-down list:
    1. CACACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate to validate the identity of the client.
    2. Auth Server—The authentication server certificate to verify the identity of the server to the client.
    3. Captive portal serverCaptive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server certificate to verify the identity of internal captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server to the client.
    4. RadSec—The RadSec server certificate to verify the identity of the server to the client.
    5. RadSec CA—The RadSec CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate for mutual authentication between the Instant AP clients and the TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. server.
    6. WebUI—Customized certificate for WebUI management.
  5. Select the certificate format from the Certificate format drop-down list.
  6. If you have selected Auth Server, Captive portal server, WebUI, or RadSec as the type of certificate, enter a passphrase in Passphrase and retype the passphrase. If the certificate does not include a passphrase, there is no passphrase required.
  7. Click Browse and select the appropriate certificate file, and click Upload Certificate. The Certificate Successfully Installed message is displayed.

To assign certificate for an application:

  1. Navigate to the Maintenance > Certificates page.
  2. Click on Certificate Usage.
  3. Click on add icon to assign certificates to an application. The New Certificate Assignment window is displayed.
  4. Select the application you want to assign a certificate from the Application drop-down list.
  5. Select the certificate type from the Certificate type drop-down list.
  6. Select the certificate name from the Certificate name drop-down list.
  7. Click OK to assign the certificate to the application.

To delete a certificate assigned to an application:

  1. Navigate to the Maintenance > Certificates page.
  2. Click on Certificate Usage.
  3. Select the certificate assignment you want to delete and click on delete.
  4. Click OK to delete the certificate assignment.

NOTE:

The Instant AP database can have only one authentication server certificate and one captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server certificate at any point in time.

When a Captive PortalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server certificate is uploaded with the WebUI option selected, the default management certificate on the Instant WebUI is also replaced by the Captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server certificate.

Certificates cannot be removed if they are assigned to an application. Therefore, ensure that you disassociate the certificate from an application before removing it.

Managing Certificates in the CLI

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command imports a certificate to the AP:

(Instant AP)#crypto pki-import

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command assigns certificates for an application:

(Instant AP)(config)#wlan cert-assignment-profile

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command removes a certificates on an AP:

(Instant AP)#crypto pki-remove

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command shows certificates installed on the AP:

(Instant AP)#show cert assignment

Loading Certificates Through AirWave

You can manage certificates using AirWave. The AMPAirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. directly provisions the certificates and performs basic certificate verification (such as certificate type, format, version, serial number, and so on) before accepting the certificate and uploading to an Instant AP network. The AMPAirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. packages the text of the certificate into an HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. message and sends it to the virtual controller. After the virtual controller receives this message, it draws the certificate content from the message, converts it to the right format, and saves it on the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server.

To load a certificate in AirWave:

  1. Navigate to Device Setup > Certificates and then click Add to add a new certificate. The Certificate window is displayed.
  2. Enter the certificate Name, and click Choose File to browse and upload the certificate.
  3. Select the appropriate Format that matches the certificate filename.
  4. Select Server Cert for certificate Type, and provide the passphrase if you want to upload a server certificate.
  5. Select either Intermediate CA or Trusted CA certificate Type, if you want to upload a CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate.
  6. After you upload the certificate, navigate to Groups, click the Instant Group and then select Basic. The Group name is displayed only if you have entered the Organization name in the WebUI. For more information, see Configuring Organization String for further information.

    The Virtual Controller Certificate section displays the certificates (CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. cert and Server).

  7. Click Save to apply the changes only to AirWave. Click Save and Apply to apply the changes to the Instant AP.
  8. To clear the certificate options, click Revert.

Loading Customized Certificates from AirWave

AirWave also provides users with the option of uploading customized certificates on the Instant AP. The customized certificate is uploaded on AirWave and then pushed to the Instant AP from the AirWave UIUser Interface..

  • Before uploading the new customized certificate, ensure that you uninstall any existing customized certificates on the Instant AP:

(Instant AP)# clear-cert-airwaveca

  • Upload the customized certificate to AirWave and push it to the Instant AP. Refer to Loading Certificates Through AirWave
  • Once the new customized certficate is uploaded to the Instant AP, verify the certfication installation using the following command:

(Instant AP)# show ap checksum

Perform these steps after you have verified that the new customized certificate is successfully installed on the Instant AP:

  1. Delete PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access.  configuration from the Instant AP using the following command:

    (Instant AP)(config)# no ams-key

  2. Add a DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. server and link the AMPAirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. IP address with the domain name of the new customized certificate.
  3. Configure the AMPAirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. IP address

    (Instant AP)(config)# ams-ip <domain_name>

  4. In the AirWave UIUser Interface., navigate to AMP Setup > General > Aruba Instant Options > Change SSL Change and click Change. Ensure you delete the ams-key for cert-only mode or cert and psk mode.
  5. Add the Instant AP to AMPAirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. again.

Automatic Update of CA Certificate Bundle

Starting from Instant 8.7.0.0, the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle on the AP is updated automatically when a new version of CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle is available on Activate. In addition to automatic update, a new CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command is introduced to manually trigger the update. The CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle update can only be triggered using the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command triggers the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle upgrade on the AP:

(Instant AP)# ca-bundle update

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the version details of CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle on the AP:

(Instant AP)# show ca-bundle version

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command displays the upgrade status of the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle:

(Instant AP)# show ca-bundle upgrade status

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command resets the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate bundle to the factory default version:

(Instant AP)# ca-bundle reset

/*]]>*/