In cryptography, PKCS #12 defines an archive file format for storing many cryptographic objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.
A PKCS #12 file may be encrypted and signed. The internal storage containers, called “SafeBags,” may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys, and CRLs. Another SafeBag is provided to store any other data at the individual implementer’s choice.
Devices using self-signed certificates
Problem: By default, CPPM / Aruba appliances use self-signed certificates when uses access the GUI.
Use Case # 1 – Aruba Mobility Conductor and a Managed Device (MD)
The default self-signed certificate
Solution: When possible, generate a certificate signing request (CSR) that contains the IP address of the device and the subject alternative name (SAN) > name of the device.
- Make a directory
2. Copy the default OpenSSL config file and edit the original openssl.cnf file
- Edit the OpenSSL.cnf > add the following lines. I added the text under the lines that begin with
distinguished_name = req_distinguished_name
req_extensions = req_ext
Note: The network device entries must exist in DNS.
- Generate CSR that contains the private and public keys. The private key should be stored securely.
openssl req -out vMM0002-PROD.csr -newkey rsa:4096 -keyout vMM0002-PROD-PRIVATE.key -config vMM0002-PROD_SAN_CSR.cnf
5. Verify that the CSR was created with the following SANs attributes: IP and DNS name of the server.
openssl req -text -in vMM0002-PROD.csr -noout -verify
6. extract public key from the public key
verify that the CSR and private keys were created
7. Send the CSR to the CA to be signed
Copy and paste the contents of the CSR file. Include – Begin — End
Log into the CA server. The example below is a MS CA http://IP/certsrv
8. Download the device certificate and the chained certificate. Select Base 64 encoded.
Make a copy of the original files and save them with the .pem extension.
View the certificate attributes
9. Create a pfx file by combining the signed .pem file with the private key. The private key should not be shared and must be securely stored.
openssl pkcs12 -export -in vMM0002-PROD.pem -inkey vMM0002-PROD-PRIVATE.key -name vMM0002-PROD -out vMM0002-PROD.p12
10. Upload the Root and intermediate certificate to the device
Click mobility conductor > configuration > system > certificates click the “+” sign.
Verify that both certs were uploaded to the device
11. commit the pending changes
12. Upload the signed HTTPS certificate
Click pending changes and commit the config.
13. Configure the device to use the new cert.
Click mobility conductor > configuration > system > admin
Change the server certificate to the newly uploaded certificate.
Click pending changes > deploy changes
HTTPS into the device via IP or FQDN