Generating certificates for an Aruba Instant AP using pfSense

Generating certificates for an Aruba Instant AP using pfSense

Aruba Instant APs allow users to upload their own certificates which can be useful when trying to get rid of browser warnings regarding untrusted HTTPS connections.

Creating and uploading certificate authority

On the System / Certificates / Authorities page, click the Add button to create a new CA. This opens the CA edit page. Here the method must be set to Create an internal Certificate Authority. The remaining settings can either be left as they are or straightforward.

With the CA create, it can be exported from the System / Certificates / Authorities page and then uploaded to the Aruba IAP on the Maintenance / Certificates page.

Creating an intermediate certificate authority

The next step is to create an intermediate CA, which is needed by the Aruba IPA. The creation of an intermediate CA is achieved in similar way to that of a normal CA except that the method needs to be set to Create an intermediate Certificate Authority.

This adds a drop down to select the Signing Certificate Authority. Here, the CA created in the previous step needs to be selected.

The newly created intermediate CA can then be exported for use in the following steps.

Creating a server certificate

A certificate can now be created under System / Certificates / Certificates, using the Add/sign button. On the new certificate settings page, a few options must be configured.

First, the certificate authority must be set to the intermediate CA created in the previous step.

Secondly, the type of certificate is to be set to Server.

Finally, either the FQDN or IP at which the Aruba IAP is to be accessed needs to be registered under Alternative Names.

Once created, the certificate can be exported, alongside its key.

Certificate format conversion

The server certificate exported in the previous step cannot be uploaded as is to the Aruba IAP. The content of the exported key and intermediate CA must be added to it. This can be done with a text editor. The resulting content should match the following structure:

-----BEGIN PRIVATE KEY-----
Key
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Server certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate CA
-----END CERTIFICATE-----

Uploading the certificate to the Aruba IAP

The modified server certificate can now be uploaded to the Aruba IAP. This is achieved in similar fashion to that of the CA, apart from the certificate type which must be set to Server.

Registering the Certificate for use with the Web GUI

Now that the certificate and the CA have been uploaded to the Aruba IAP, the Web UI can be configured to use those for HTTPS. For this purpose, click the + button under Certificate Usage. From there, select Web UI from the application drop down, Server as Certificate type and the uploaded as Certificate name.

With that done, the Web UI should now use the Certificate generated in pfSense, which can help getting rid of security warnings from the browser.

References