Generate HTTPS Certificate for Aruba WLC

In cryptography, PKCS #12 defines an archive file format for storing many cryptographic objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

A PKCS #12 file may be encrypted and signed. The internal storage containers, called “SafeBags,” may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys, and CRLs. Another SafeBag is provided to store any other data at the individual implementer’s choice.[1][2]

PKCS #12 is a family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.

Devices using self-signed certificates

Problem: By default, CPPM / Aruba appliances use self-signed certificates when uses access the GUI.

Use Case # 1 – Aruba Mobility Conductor and a Managed Device (MD)


The default self-signed certificate

Solution: When possible, generate a certificate signing request (CSR) that contains the IP address of the device and the subject alternative name (SAN) > name of the device.

  1. Make a directory

2. Copy the default OpenSSL config file and edit the original openssl.cnf file

  1. Edit the OpenSSL.cnf > add the following lines. I added the text under the lines that begin with
    [req]
    distinguished_name = req_distinguished_name
    req_extensions = req_ext

Note: The network device entries must exist in DNS.


  1. Generate CSR that contains the private and public keys. The private key should be stored securely.

openssl req -out vMM0002-PROD.csr -newkey rsa:4096 -keyout vMM0002-PROD-PRIVATE.key -config vMM0002-PROD_SAN_CSR.cnf

5. Verify that the CSR was created with the following SANs attributes: IP and DNS name of the server.

openssl req -text -in vMM0002-PROD.csr -noout -verify

6. extract public key from the public key

verify that the CSR and private keys were created

7. Send the CSR to the CA to be signed

Copy and paste the contents of the CSR file. Include – Begin — End


Log into the CA server. The example below is a MS CA http://IP/certsrv

Click submit

8. Download the device certificate and the chained certificate. Select Base 64 encoded.

Make a copy of the original files and save them with the .pem extension.

View the certificate attributes

9. Create a pfx file by combining the signed .pem file with the private key. The private key should not be shared and must be securely stored.

openssl pkcs12 -export -in vMM0002-PROD.pem -inkey vMM0002-PROD-PRIVATE.key -name vMM0002-PROD -out vMM0002-PROD.p12


10. Upload the Root and intermediate certificate to the device

Click mobility conductor > configuration > system > certificates click the “+” sign.

Verify that both certs were uploaded to the device

11. commit the pending changes

12. Upload the signed HTTPS certificate

Click pending changes and commit the config.


13. Configure the device to use the new cert.

Click mobility conductor > configuration > system > admin

Change the server certificate to the newly uploaded certificate.

Click submit

Click pending changes > deploy changes


HTTPS into the device via IP or FQDN

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.