In cryptography, PKCS #12 defines an archive file format for storing many cryptographic objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.
A PKCS #12 file may be encrypted and signed. The internal storage containers, called “SafeBags,” may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys, and CRLs. Another SafeBag is provided to store any other data at the individual implementer’s choice.[1][2]
PKCS #12 is a family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories.
Devices using self-signed certificates
Problem: By default, CPPM / Aruba appliances use self-signed certificates when uses access the GUI.
Use Case # 1 – Aruba Mobility Conductor and a Managed Device (MD)
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-1024x482.png)
The default self-signed certificate
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/01-1-1024x913.jpg)
Solution: When possible, generate a certificate signing request (CSR) that contains the IP address of the device and the subject alternative name (SAN) > name of the device.
- Make a directory
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/02-1-1024x391.jpg)
2. Copy the default OpenSSL config file and edit the original openssl.cnf file
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-1.png)
- Edit the OpenSSL.cnf > add the following lines. I added the text under the lines that begin with
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-2-1024x160.png)
Note: The network device entries must exist in DNS.
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-3.png)
- Generate CSR that contains the private and public keys. The private key should be stored securely.
openssl req -out vMM0002-PROD.csr -newkey rsa:4096 -keyout vMM0002-PROD-PRIVATE.key -config vMM0002-PROD_SAN_CSR.cnf
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/03-1024x354.jpg)
5. Verify that the CSR was created with the following SANs attributes: IP and DNS name of the server.
openssl req -text -in vMM0002-PROD.csr -noout -verify
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-4-1024x446.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-5-1024x341.png)
6. extract public key from the public key
verify that the CSR and private keys were created
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-6-1024x151.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/04-1024x139.jpg)
7. Send the CSR to the CA to be signed
Copy and paste the contents of the CSR file. Include – Begin — End
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-7-1024x610.png)
Log into the CA server. The example below is a MS CA http://IP/certsrv
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-8-1024x350.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-9-1024x167.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-10-1024x491.png)
Click submit
8. Download the device certificate and the chained certificate. Select Base 64 encoded.
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-11-1024x208.png)
Make a copy of the original files and save them with the .pem extension.
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-12-1024x385.png)
View the certificate attributes
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-13.png)
9. Create a pfx file by combining the signed .pem file with the private key. The private key should not be shared and must be securely stored.
openssl pkcs12 -export -in vMM0002-PROD.pem -inkey vMM0002-PROD-PRIVATE.key -name vMM0002-PROD -out vMM0002-PROD.p12
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-14-1024x214.png)
10. Upload the Root and intermediate certificate to the device
Click mobility conductor > configuration > system > certificates click the “+” sign.
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-15-1024x430.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-16-1024x501.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-17-1024x495.png)
Verify that both certs were uploaded to the device
11. commit the pending changes
12. Upload the signed HTTPS certificate
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-18-1024x498.png)
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-23-1024x269.png)
Click pending changes and commit the config.
13. Configure the device to use the new cert.
Click mobility conductor > configuration > system > admin
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-21-1024x502.png)
Change the server certificate to the newly uploaded certificate.
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/image-22-1024x496.png)
Click submit
Click pending changes > deploy changes
HTTPS into the device via IP or FQDN
![](https://www.netprojnetworks.com/wp-content/uploads/2022/10/05-1024x477.jpg)