aruba_networks:controller:managing_certificates
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
aruba_networks:controller:managing_certificates [2020/10/18 22:00] – hvillanueva | aruba_networks:controller:managing_certificates [2020/10/18 22:20] (current) – hvillanueva | ||
---|---|---|---|
Line 57: | Line 57: | ||
===== Obtaining a Client Certificate ===== | ===== Obtaining a Client Certificate ===== | ||
- | You can use the CSR generated on the controller to obtain a certificate for a client. However, since there may be a large number of clients in a network, you typically obtain client certificates from a corporate CA server. For example, in a browser window, enter http://< | + | You can use the CSR generated on the controller to obtain a certificate for a client. However, since there may be a large number of clients in a network, you typically obtain client certificates from a corporate CA server. For example, in a browser window, enter: |
+ | {{: | ||
===== Importing Certificates ===== | ===== Importing Certificates ===== | ||
- | |||
Use the WebUI or the CLI to import certificates into the controller. | Use the WebUI or the CLI to import certificates into the controller. | ||
{{: | {{: | ||
+ | |||
+ | You can import the following types of certificates into the controller: | ||
+ | |||
+ | - Server certificate signed by a trusted CA. This includes a public and private key pair. | ||
+ | |||
+ | - CA certificate used to validate other server or client certificates. This includes only the public key for the certificate. | ||
+ | |||
+ | - Client certificate and client’s public key. (The public key is used for applications such as SSH which does not support X509 certificates and requires the public key to verify an allowed certificate.) | ||
+ | |||
+ | Certificates can be in the following formats: | ||
+ | |||
+ | - X509 PEM unencrypted | ||
+ | |||
+ | - X509 PEM encrypted with a key | ||
+ | |||
+ | - DER | ||
+ | |||
+ | - PKCS7 encrypted | ||
+ | |||
+ | - PKCS12 encrypted | ||
+ | |||
+ | ===== In the WebUI ===== | ||
+ | |||
+ | 1. Navigate to the Configuration > Management > Certificates > Upload page. | ||
+ | |||
+ | 2. For Certificate Name, enter a user-defined name. | ||
+ | |||
+ | 3. For Certificate Filename, click Browse to navigate to the appropriate file on your computer. | ||
+ | |||
+ | 4. If the certificate is encrypted, enter the passphrase. | ||
+ | |||
+ | 5. Select the Certificate Format from the drop-down menu. | ||
+ | |||
+ | 6. Select the Certificate Type from the drop-down menu. | ||
+ | |||
+ | 7. Click Upload to install the certificate in the controller. | ||
+ | |||
+ | ===== In the CLI ===== | ||
+ | |||
+ | Use the following command to import CSR certificates: | ||
+ | |||
+ | crypto pki-import {der|pem|pfx|pkcs12|pkcs7} {PublicCert|ServerCert|TrustedCA} < | ||
+ | |||
+ | The following example imports a server certificate named cert_20 in DER format: | ||
+ | |||
+ | crypto pki-import der ServerCert cert_20 | ||
+ | |||
+ | ===== Viewing Certificate Information ===== | ||
+ | |||
+ | In the WebUI, the Certificate Lists section of the page lists the certificates that are currently installed in the controller. Click View to display the contents of a certificate. | ||
+ | |||
+ | To view the contents of a certificate with the CLI, use the following commands: | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ===== Imported Certificate Locations ===== | ||
+ | |||
+ | Imported certificates and keys are stored in the following locations in flash on the controller: | ||
+ | |||
+ | |||
+ | {{: | ||
+ | |||
+ | ===== Checking CRLs ===== | ||
+ | |||
+ | A CA maintains a CRL that contains a list of certificates that have been revoked before their expiration date. Expired client certificates are not accepted for any user-centric network service. Certificates may be revoked because certificate key has been compromised or the user specified in the certificate is no longer authorized to use the key. | ||
+ | |||
+ | When a client certificate is being authenticated for a user-centric network service, the controller checks with the appropriate CA to make sure that the certificate has not been revoked. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ==== Certificate Expiration Alert ==== | ||
+ | |||
+ | The certificate expiration alert sends alerts when installed certificates, | ||
+ | |||
+ | - wlsxCertExpiringSoon | ||
+ | |||
+ | - wlsxCertExpired | ||
+ | |||
+ | ===== Chained Certificates on the RAP ===== | ||
+ | |||
+ | Chained certificates on the RAP (that is, certificates from a multi-level PKI) need to be in a particular order inside the file. The RAP’s certificate must be first, followed by the certificate chain in order, and then followed by the private key for the certificate. For example, with a root CA, a single intermediate CA, and a root CA, the PEM or PKCS12 file must contain the following parts, in this order: | ||
+ | |||
+ | - RAP Certificate | ||
+ | |||
+ | - Intermediate CA | ||
+ | |||
+ | - Root CA | ||
+ | |||
+ | - Private key | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ===== Support for Certificates on USB Flash Drives ===== | ||
+ | |||
+ | This release now supports the USB storing of the RAP certificate. This ensures that the RAP certificate is activated only when the USB with the corresponding certificate is connected to the RAP. Likewise, the RAP certificate is deactivated when the USB is removed from the RAP. In this case, the USB that is connected to the RAP is an actual storage device and does not act as a 3G/4G RAP. | ||
+ | |||
+ | The RAP supports only PKCS12-encoded certificates that are present in the USB. This certificate contains all the information that is required for creating the tunnel including the private key, RAP certificate with the chain of certificates and the trusted CA certificate. There is a limit of three supported intermediate CAs and the common name for the RAP certificate must be the MAC address of the RAP in the colon format. | ||
+ | |||
+ | {{: | ||
+ | |||
+ | ===== Marking the USB Device Connected as a Storage Device ===== | ||
+ | |||
+ | If the AP provisioning parameter “usb-type” contains the value “storage, | ||
+ | |||
+ | ===== RAP Configuration Requirements ===== | ||
+ | |||
+ | The RAP needs to have one additional provisioning parameter, the pkcs12_passphrase, | ||
+ | |||
+ | {{: | ||
+ | |||
+ | When the RAP successfully extracts all the information including the CA certificate, |
aruba_networks/controller/managing_certificates.1603076408.txt.gz · Last modified: 2020/10/18 22:00 by hvillanueva