Hello and welcome back, my name is Tyler McMinn. And this is the Aruba Networks Security Basics video series, part two, where we are going to jump into lab number three, where we're on the Aruba mobility controller. And in this task, we're going to be installing Certs. Let's jump in. [MUSIC] All right, so in this task, what we're going to do is hardened the controller. In the previous tasks, we have hardened the 6300 and 3810 switches and part of that hardening process included using stronger cipher algorithms and max using enabling SSH, disabling telnet, and installing the root certificate authority as well as generating certificates on the switches themselves. And getting those signed by the CA or by the certificate authority. In this particular task, we're going to do the same thing with the controller. We are going to install the certificate authority to the controller, and instead of generating this public private key pair certificates on the controller and then getting the public signed, we've actually already done that step in a prior lab on the wired management machine. Now, we just simply need to import that cert into the controller. So first things first, I'm going to open up my wired machine over here. And once I'm on my wired machine, I can close some of this out, open up a browser and navigate to the controller itself. So let me do that, I'm going to refresh this, here we go. So logging into the controller, in fact, you can still see it here. There's a pop up showing us that there was a pop it originally saying this site is not secure and the reason we are re enables the warning. So if I refresh this and log in, this is the air message that we were seeing the very first time. And if we look at the air, it actually says that the CERT is invalid. The certificate authority that signed off on this is self signed. My computer does not share that same certificate authority. We have the one for this environment, this controller does not. So that's one of the first steps we're going to do is get the certificate, authority, signature or imported. So it's using the same cert for this SSL connection. So to do that, we're going to connect to the controller. Go down to configuration, go down to system and look for certificates. This is where we have the option to import certificates, export certificates to a certificate signing request, revoke checkpoints, etcetera. But in the import certificate option, I want to go ahead and import a new certificate. And then we can get the certificate a nice little name here and we'll just call this the same Aruba training CA and then browse to where that Cert is. Now I'm on a browser on this wired machine, I've already imported the route CA public cert here, are the certificate that I can install and there's that route CA cert. So let's go and open that up, it's now ready to pull that back in. If there was a pass phrase, I could put that in. There is not set the format appropriately. The certificate is in a pin format, and it is a trusted CA cert. With that done, we submit and with our mobility controller operating system once you submit, if you're in command line, you need a right memory. After pressing enter in the browser, you submit and then do a pending changes, deploy those pending changes. It is now installed and ready to go. It has not expired. So we are all set. I can install the MC cert that we created earlier. Now, this is in my tools folder. Look here, this configuration of what the MC settings were. We used this to generate a private key and public key pair. This is the exported private key that we did using open SSL commands in our command prompt. And we also exported a certificate that we then did a certificate signing request from RCA. So the combination of the private key and the signed public cert we saved as the mc.pfx file. This is what we are ultimately going to want to bring in here. So let's go back down to import certificates again, hit the plus icon, and we want to import this cert that we've already created. So we'll give it a name here, and we'll just call this m c, keep it nice and simple and find that PFX file. This P F X file is going to include both the public side insert and the private key all in one pretty cool. Now there is a pass phrase with this, so I'll put that in again. The certain type is PFX for the extension and it's going to be a server, cert. So we submit before we do pending changes, we can do a couple other things here, for example, for admin access like us logging into the browser to make these changes, we can exchange the authentication options there. So if I go down to admin authentication options under Config system admin, you could change the default role, you could change what certain that it uses. And what we want to do is instead of using the default self signed, cert, what we're going to do is change it now to that MC assert, that we just imported because that certainly is a server, cert, we can use it and host it. So submit, apply pending changes, and deploy. And we're looking pretty good, let's go ahead and close the browser. I think I've got the URL in here, so I don't have to re type that out, but we can close it, reopen it and see now if we get that same error message that we got before. I don't notice that, no red line, nothing like that, no air message, no pop up. We connected it, it's secure, it's a valid certificate that was issued by training Aruba AD. There it is. More importantly, I can now log in, trusting that this server, the mobility controller is signed by the same public certain that I myself have imported on this wired machine. So that is our first task, let's go and stop there and then we'll come back and do external admin authentication options here as well.
