Differences

This shows you the differences between two versions of the page.

--- aruba_networks:controller:managing_certificates [2020/10/18 22:04] – hvillanueva
+++ aruba_networks:controller:managing_certificates [2020/10/18 22:20] (current) – hvillanueva
@@ Line 57: / Line 57: @@
 ===== Obtaining a Client Certificate =====
-You can use the CSR generated on the controller to obtain a certificate for a client. However, since there may be a large number of clients in a network, you typically obtain client certificates from a corporate CA server. For example, in a browser window, enter http://<ipaddr> /crtserv, where <ipaddr> is the IP address of the CA server.
+You can use the CSR generated on the controller to obtain a certificate for a client. However, since there may be a large number of clients in a network, you typically obtain client certificates from a corporate CA server. For example, in a browser window, enter:
+{{:aruba_networks:controller:aruba4.png?600|}}
 ===== Importing Certificates =====
+Use the WebUI or the CLI to import certificates into the controller.
+{{:aruba_networks:controller:aruba3.png?600|}}
+You can import the following types of certificates into the controller:
+- Server certificate signed by a trusted CA. This includes a public and private key pair.
+- CA certificate used to validate other server or client certificates. This includes only the public key for the certificate.
+- Client certificate and client’s public key. (The public key is used for applications such as SSH which does not support X509 certificates and requires the public key to verify an allowed certificate.)
+Certificates can be in the following formats:
+- X509 PEM unencrypted
+- X509 PEM encrypted with a key
+- DER
+- PKCS7 encrypted
+- PKCS12 encrypted
+===== In the WebUI =====
+.	Navigate to the Configuration > Management > Certificates > Upload page.
+.	For Certificate Name, enter a user-defined name.
+.	For Certificate Filename, click Browse to navigate to the appropriate file on your computer.
+.	If the certificate is encrypted, enter the passphrase.
+.	Select the Certificate Format from the drop-down menu.
+.	Select the Certificate Type from the drop-down menu.
+.	Click Upload to install the certificate in the controller.
+===== In the CLI =====
+Use the following command to import CSR certificates:
+crypto pki-import {der|pem|pfx|pkcs12|pkcs7} {PublicCert|ServerCert|TrustedCA} <name>
+The following example imports a server certificate named cert_20 in DER format:
+crypto pki-import der ServerCert cert_20
+===== Viewing Certificate Information =====
+In the WebUI, the Certificate Lists section of the page lists the certificates that are currently installed in the controller. Click View to display the contents of a certificate.
+To view the contents of a certificate with the CLI, use the following commands:
+{{:aruba_networks:controller:aruba_managing_certificates_-_certificates_show_commands.png?600|}}
+===== Imported Certificate Locations =====
+Imported certificates and keys are stored in the following locations in flash on the controller:
+{{:aruba_networks:controller:aruba_managing_certificates_-_imported_certificate_locations.png?600|}}
+===== Checking CRLs =====
+A CA maintains a CRL that contains a list of certificates that have been revoked before their expiration date. Expired client certificates are not accepted for any user-centric network service. Certificates may be revoked because certificate key has been compromised or the user specified in the certificate is no longer authorized to use the key.
+When a client certificate is being authenticated for a user-centric network service, the controller checks with the appropriate CA to make sure that the certificate has not been revoked.
+{{:aruba_networks:controller:aruba_crls.png?600|}}
+==== Certificate Expiration Alert ====
+The certificate expiration alert sends alerts when installed certificates, which correspond to trust chains, OCSP responder certificates, and any other certificates installed on the device. By default, the system sends this alert 60 days before the expiration of the installed credentials. This alert is then repeated periodically on a weekly or biweekly basis. This alerts consist of two SNMP traps:
+- wlsxCertExpiringSoon
+- wlsxCertExpired
+===== Chained Certificates on the RAP =====
+Chained certificates on the RAP (that is, certificates from a multi-level PKI) need to be in a particular order inside the file. The RAP’s certificate must be first, followed by the certificate chain in order, and then followed by the private key for the certificate. For example, with a root CA, a single intermediate CA, and a root CA, the PEM or PKCS12 file must contain the following parts, in this order:
+- RAP Certificate
+- Intermediate CA
+- Root CA
+- Private key
+{{:aruba_networks:controller:aruba_certificates_rap.png?600|}}
+===== Support for Certificates on USB Flash Drives =====
+This release now supports the USB storing of the RAP certificate. This ensures that the RAP certificate is activated only when the USB with the corresponding certificate is connected to the RAP. Likewise, the RAP certificate is deactivated when the USB is removed from the RAP. In this case, the USB that is connected to the RAP is an actual storage device and does not act as a 3G/4G RAP.
+The RAP supports only PKCS12-encoded certificates that are present in the USB. This certificate contains all the information that is required for creating the tunnel including the private key, RAP certificate with the chain of certificates and the trusted CA certificate. There is a limit of three supported intermediate CAs and the common name for the RAP certificate must be the MAC address of the RAP in the colon format.
+{{:aruba_networks:controller:aruba_certificates_rap2.png?600|}}
+===== Marking the USB Device Connected as a Storage Device =====
+If the AP provisioning parameter “usb-type” contains the value “storage,” this indicates that the RAP will retrieve certificates from the connected USB flash drive.
+===== RAP Configuration Requirements =====
+The RAP needs to have one additional provisioning parameter, the pkcs12_passphrase, which can be left untouched or can store an ACSII string. The string assigned to this parameter is used as the passphrase for decoding the private key stored.
+{{:aruba_networks:controller:aruba_certificates_rap3.png?600|}}
+When the RAP successfully extracts all the information including the CA certificate, the RAP certificate and the RAP private key using the passphrase from the provisioning parameter, it successfully establishes the tunnel.