By default, Aruba Central includes a self-signed certificate that is available on the Certificates page. The default certificate is not signed by a root certificate authority (CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.). For devices to validate and authorize Aruba Central, administrators must upload a valid certificate signed by a root CA.

Aruba devices use digital certificates A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth. for authenticating a client's access to user-centric network services. Most devices such as controllers and Instant APs include a server certificate by default for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server authentication. However, Aruba recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CA. Certificates can be stored locally on the devices and used for validating device or user identity during authentication.

Aruba Central-managed devices such as Instant AP and switches support the following root CA certificates:

Instant APs


  • AddTrust
  • GeoTrust
  • VeriSign
  • Go Daddy
  • Comodo
  • GeoTrust

Uploading Certificates

To upload certificates, complete the following steps:

  1. In the Aruba Central app, set the filter to Global.
  2. Under Maintain, click Organization.

    By default, the Network Structure tab is displayed.

  3. Click the Certificates tile.

    The CERTIFICATES page is displayed.

  4. Click the plus icon to add a certificate to the certificate store.
  5. In the ADD CERTIFICATES dialog box, do the following:
    1. In the Name text box, enter the certificate name.
    2. From the Type drop-down list, select the type of certificate. You can select any one of the following certificates:
    3. From the Format drop-down list, select a certificate format; for example, PEM, DER, and PKCS12.
    4. In the Passphrase text box, enter a passphrase.
    5. In the Retype Passphrase text box, retype the passphrase for confirmation.

      The Passphrase and Retype Passphrase text boxes are displayed only when you select Server Certificate from the Type drop-down list.

    6. In the Certificate File field, click Choose file and select the certificate files.
    7. Click Add. The certificate is added to the Certificate Store.

Managing Certificates on Instant APs Configured Using Templates

Aruba Central supports uploading multiple certificates to Instant APs configured using templates. You can manage certificates either from the Aruba Central UI or through the API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. Gateway. For more information about APIs, see API Documentation.

To push certificates to Instant APs configured using templates:

  1. Upload the certificates through one of the following methods:
  2. Get the certificate name and MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. checksum through one of the following methods:
    • UI—Follow the steps listed below:

      1. In the Aruba Central app, set the filter to All Devices.
      2. Under Maintain, click Organization and select the Certificates tab.

        The Certificate Store table displays these details.

    • API—Use the [GET] /configuration/v1/certificates API.
  3. In the template, anywhere before the per-ap settings block, depending on your requirement, add one or more of the following commands:
    ca-cert-checksum <ca_cert_checksum/ca_cert_name> cp-cert-checksum <captive_portal_cert_checksum/captive_portal_cert_name> radsec-ca-checksum <radsed_ca_checksum/radsed_ca_name> radsec-cert-checksum <radsed_cert_checksum/radsed_cert_name> server-cert-checksum <server_cert_checksum/server_cert_name>

    You can either use the certificate name or the checksum value in the command. Or, you can set it as a variable and enter the variable value for the Instant AP. Aruba recommends using the certificate name.

Example 1

ca-cert-checksum my_default_cert

Example 2

ca-cert-checksum %ca_cert_name% variable: { "ca_cert_name": "my_default_cert" }