Wired Intelligent Edge

You should apply the certificate after importing it. This ASE solution provides the instructions for the full process, and if you select Mobility Access Switch in the step 'Install' the commands to activate the certificate.

The certificate that you showed is not the one from the advisory; it's already a self-signed one.

What's the reason for updating/changing the certificate?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

I have since resolved this issue via the CLI but I'll provide responses to your statements below.

"You should apply the certificate after importing it. This ASE solution provides the instructions for the full process, and if you select Mobility Access Switch in the step 'Install' the commands to activate the certificate."

So I apologize for my ignorance here but I'm not entirely clear on what you mean when you say "select Mobility Access Switch in the step 'Install'". The only guide I'm aware of is the one I provided the link to and that isn't mentioned from what I see. 

Here's the thing though... The Aruba S2500 can't run any firmware past "ArubaOS_MAS_7.4.1.12_72393" which doesn't seem to have the option in the GUI referenced in Step 3 of the guide I provided the link to. The guide states in Step 3 that you should apply the cert now that you've uploaded it by going under "Management > General" but that option doesn't exist in the GUI of the S2500. At least not that I can find. See image below.

The solution for me to apply the cert was that I had to actually go in to the CLI and apply it that way because that option does not exist in the GUI as far as I can tell. So i just had to drop in to conf t then run:

web-server
switch-cert <cert_name>
write memory

That was able to resolve that issue for me.

"The certificate that you showed is not the one from the advisory; it's already a self-signed one.

One would think by looking at it that this was accurate. It looks like a perfectly good certificate that wouldn't have any issues but that's not the case. For some reason Chrome, Edge, Chromium, and multiple other browsers have issues with this certificate and will not allow you to access the GUI because of it. They will just give you the error "ERR_SSL_KEY_USAGE_INCOMPATIBLE" and prevent you from going any further. The only way you can access the GUI of the S2500 is to do 1 of 3 things

1. Use a browser that warns about this certificate but still allows you to proceed which would be Firefox.
2. Replace the certificate with a new self-signed one or a legit signed one.
3. Use Reverse Proxy with a real certificate and point to the switch.

This makes setting up the S2500 a bit of a headache if you're not aware of these issues. Once you can get the new self-signed certificate loaded though, you can then use Chrome, Edge, or any other browser. You still get the warning about it being a self-signed certificate but you can acknowledge the warning and still get in.

In the end my issue is resolved and I'm now able to get in to the GUI with the self-signed cert I generated. That guide I referenced just doesn't seem to apply to the GUI options available in the S2500 running "ArubaOS_MAS_7.4.1.12_72393". I do not have all the options available to me in the GUI that are displayed in the screenshot of "Step 3". There is no "Management > General" option. So it seems for the S2500 unless I'm missing some way to enable more options in the GUI, the only way to apply the cert after uploading it is to go in the the CLI and apply it. 

Original Message:
Sent: May 02, 2024 07:34 AM
From: Herman Robers
Subject: Certificate on old Aruba S2500 switch

You should apply the certificate after importing it. This ASE solution provides the instructions for the full process, and if you select Mobility Access Switch in the step 'Install' the commands to activate the certificate.

The certificate that you showed is not the one from the advisory; it's already a self-signed one.

What's the reason for updating/changing the certificate?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

I have since resolved this issue via the CLI but I'll provide responses to your statements below.

"You should apply the certificate after importing it. This ASE solution provides the instructions for the full process, and if you select Mobility Access Switch in the step 'Install' the commands to activate the certificate."

So I apologize for my ignorance here but I'm not entirely clear on what you mean when you say "select Mobility Access Switch in the step 'Install'". The only guide I'm aware of is the one I provided the link to and that isn't mentioned from what I see. 

Here's the thing though... The Aruba S2500 can't run any firmware past "ArubaOS_MAS_7.4.1.12_72393" which doesn't seem to have the option in the GUI referenced in Step 3 of the guide I provided the link to. The guide states in Step 3 that you should apply the cert now that you've uploaded it by going under "Management > General" but that option doesn't exist in the GUI of the S2500. At least not that I can find. See image below.

The solution for me to apply the cert was that I had to actually go in to the CLI and apply it that way because that option does not exist in the GUI as far as I can tell. So i just had to drop in to conf t then run:

web-server
switch-cert <cert_name>
write memory

That was able to resolve that issue for me.

"The certificate that you showed is not the one from the advisory; it's already a self-signed one.

One would think by looking at it that this was accurate. It looks like a perfectly good certificate that wouldn't have any issues but that's not the case. For some reason Chrome, Edge, Chromium, and multiple other browsers have issues with this certificate and will not allow you to access the GUI because of it. They will just give you the error "ERR_SSL_KEY_USAGE_INCOMPATIBLE" and prevent you from going any further. The only way you can access the GUI of the S2500 is to do 1 of 3 things

1. Use a browser that warns about this certificate but still allows you to proceed which would be Firefox.
2. Replace the certificate with a new self-signed one or a legit signed one.
3. Use Reverse Proxy with a real certificate and point to the switch.

This makes setting up the S2500 a bit of a headache if you're not aware of these issues. Once you can get the new self-signed certificate loaded though, you can then use Chrome, Edge, or any other browser. You still get the warning about it being a self-signed certificate but you can acknowledge the warning and still get in.

In the end my issue is resolved and I'm now able to get in to the GUI with the self-signed cert I generated. That guide I referenced just doesn't seem to apply to the GUI options available in the S2500 running "ArubaOS_MAS_7.4.1.12_72393". I do not have all the options available to me in the GUI that are displayed in the screenshot of "Step 3". There is no "Management > General" option. So it seems for the S2500 unless I'm missing some way to enable more options in the GUI, the only way to apply the cert after uploading it is to go in the the CLI and apply it. 

Original Message:
Sent: May 02, 2024 07:34 AM
From: Herman Robers
Subject: Certificate on old Aruba S2500 switch

You should apply the certificate after importing it. This ASE solution provides the instructions for the full process, and if you select Mobility Access Switch in the step 'Install' the commands to activate the certificate.

The certificate that you showed is not the one from the advisory; it's already a self-signed one.

What's the reason for updating/changing the certificate?

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.