Managing Certificates

After installing AirWave, you can install a new SSL certificate, or generate a CSR to install a signed certificate from the AMP CLI. Some certificate management tasks can only be done using the AMP CLI while others can be done using the WebUI, and the tasks are described in the following topics:

• Uploading Certificates
• Changing the SSL Certificate for HPE Aruba Networking Instant Mode
• Generating Certificate Signing Requests (CSRs)
• Setting Up Certificate Authentication
• Disabling the Certificate Authentication Requirement
• Installing Signed Certificates
• Regenerating Self-Signed Certificates
• Adding DTLS Certificates
• Configuring Certificate Revocation Lists (CRLs)

Uploading Certificates

AirWave can help you manage your certificates when you upload them to the AirWave server. AirWave verifies basic certificate information before accepting the certificate and pushing it to a device.

WebUI

You can upload the following certificates from the WebUI:

• CRL
• Intermediate Certificate Authority (CA)
• Online Certificate Status Protocol (OCSP) Responder
• OCSP Signer
• Public certificates
• Server certificates
• Trusted CA certificates
• Captive Portal (CP) certificates

After you upload a certificate to AirWave, the certificate file becomes available on additional pages where you can select certificate files, including AMP Setup > Authentication and Groups > Basic > Certificates. For self-signed certificates, refer to Installing Signed Certificates.

For example, Figure 1 shows a certificate named IAP CP Cert being added. You can later choose this certificate for an IAP by navigating to the Group > Basic page for the device group that contains IAPs.

To add a certificate:

1. Go to the Device Setup > Certificates, then click Add.

Figure 1  Adding a Captive Portal Certificate

2. Enter a name for the certificate.
3. Click Choose File to find your local copy of the certificate.
4. Enter the passphrase, if any, and renter the passphrase.
5. Select the format that matches the certificate file.
6. Select the certificate type.
7. Click Add.

AMP CLI

1. From the AMP CLI, enter 3-4 to open the Configuration > Certificates menu.

Figure 2  Opening the Certificates Menu

2. Enter 1 to open the Add SSL Certificate menu.

Figure 3  Opening the Add SSL Certificate Menu

3. Follow the prompt to install the SSL certificate on your AirWave server. The signed certificate should be in PKCS12 format with a *.pfx or *.p12 file extension.

Changing the SSL Certificate for HPE Aruba Networking Instant Mode

In order to use certificate-based authentication, you must upload a certificate issued from a supported certificate authority (CA) to the AMP server or else the SSL handshake will fail. You must also configure the AMP IP address on the Instant Mode AP with a domain name and not an IP address. For more information about security methods for Aruba Instant, see HPE Aruba Networking Instant Mode Settings.

AirWave supports the following trusted CAs:

• Chain 1: Trusted Root CA: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root Intermediate CA: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High-Assurance Secure Server CA
• Chain 2: Trusted Root CA: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA Intermediate CA: Subject: C=US, O=Google Inc, CN=Google Internet Authority G2
• Chain 3: Trusted Root CA: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Intermediate CA: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
• Root CA: Trusted Root CA: C=US, O=Equifax, OU=Equifax Secure Certificate Authority

To change the certificate for Aruba Instant device authentication:

1. Go to AMP Setup > General, then scroll down to HPE Aruba Networking Instant Mode Options.
2. Select PSK and Certificate or Certificate only.

Figure 4  Selecting a Certificate Authentication Option

3. Click Change to find the certificate file on the AMP server. The certificate should be in PEM format and with a private key.
4. Click Upload.

Generating Certificate Signing Requests (CSRs)

To generate the CSR to request a certificate from AirWave:

1. From the AMP CLI, enter 3-4-2 to open the Configuration > Certificates > Generate Certificate Signing Request menu.
2. Enter 2 to generate a CSR.

Figure 5  Figure 22: Opening the Generate Certificate Signing Request Menu

3. Follow the prompts to enter the data associated with the organization:
   1. 2-letter country code
   2. State or province
   3. Locality or city
   4. Organization or company
   5. Organization unit or department
   6. Common name or server host name
   7. Email address
   8. Fully qualified DNS name
   9. IP addresses

Figure 6  Entering Certificate Data

4. Enter a to accept the changes and save the data.

Setting Up Certificate Authentication

On the AMP Setup > Authentication page, you can specify whether to use two-factor authentication. With two-factor authentication, the AirWave user name and password and a PEM-encoded certificate bundle is required. When using the , AirWave will prompt you to enter the PIN.

To set up certificate authentication:

1. Go to AMP Setup > Authentication.
2. Select Yes to enable certificate authentication. Once enabled, certificate authentication options will display.
3. Select Yes to turn on the Use Two-factor Authentication option.
4. Enter your PEM certificate bundle in the text field. For example, in Figure 7, two intermediate certificates are bundled with the two root certificates, one being at the top of the chain.

Figure 7  Two-Factor Authentication Configuration Example

5. Scroll to the bottom of the page, then click Save.

Disabling the Certificate Authentication Requirement

You might want to configure local database authentication, and in order to do so you should turn off the certificate authentication requirement and add your PEM bundle. Although certificate authentication is not required when disabled, certificate authentication, or OCSP validation, will occur for users with certificates.

To disable certificate authentication:

1. From the WebUI, go to AMP Setup > Authentication, select Yes to enable certificate authentication.
2. For the Require Certificate Authentication option, select No.
3. Enter your PEM certificate bundle in the text field.

Figure 8  Entering the PEM Certificate Bundle

4. Scroll down, then click Save.

Installing Signed Certificates

Before you install the signed certificate, you must export the CSR created in Generating Certificate Signing Requests (CSRs) to a third-party certificate authority (CA) and then upload the returned certificate to the AirWave server.

To install the signed certificate:

1. From the AMP CLI, enter 3-4-3 to open the Configuration > Certificates > Install Signed Certificate menu.

Figure 9  Opening the Install Signed Certificate Menu

2. Follow the prompt to select the certificate, then press Enter. The signed certificate should be PEM-encoded with a *.crt file extension.

Regenerating Self-Signed Certificates

AirWave automatically generates a self-signed certificate during installation and when the host name is changed from the CLI. If you need to regenerate the self-signed certificate for any reason, you can regenerate the self-signed certificate on AMP using the CLI.

To regenerate the self-signed certificate:

1. From the AMP CLI, enter 3-4-4 to open the Configuration > Certificates > Regenerate Self-Signed Certificate menu.

Figure 10   Opening the Regenerate Self-Signed Certificate Menu

2. Enter y when prompted.

Adding DTLS Certificates

DTLS certificates can be used to encrypt secure AMON traffic on your AMP server.

To install the DTLS certificate:

1. From the AMP CLI, enter 3-4-5 to open the Configuration > Certificates > Add DTLS Certificate menu.

Figure 11  Opening the Add DTLS Certificate Menu

2. Follow the prompt to select the certificate, then press Enter. The signed certificate should be in PKCS12 format with a *.pfx or *.p12 file extension and contain the private key, root certificate, and intermediate certificates.

Configuring Certificate Revocation Lists (CRLs)

When you configure a CRL, AirWave checks to see if the certificate sent by the requesting device is revoked. You could also use a CRL to skip the OCSP check when an OCSP server is not accessible to perform certificate validation.

To configure the CRL:

1. From the AMP CLI, enter 3-4-7 to open the Configuration > Certificates > CRL menu.

Figure 12  Opening the CRL Menu

2. Enter 1 to make CRL required, then follow the prompts to run the function and return to the CRL menu.
3. Enter 2 to configure a CRL distribution URL, then follow the prompt to add the CRL distribution URL.
4. Enter 3 to add a CRL files and follow the prompt to add the file.
5. Enter the password for the AMP server.
6. Click Update to save the configuration.