Skip to content
Docs

Aruba AOS-CX setup

This process prepares an Aruba AOS-CX switch with SSL connectivity using a domain CA, and enabling the REST API.

Export CA Certificate

Section titled “Export CA Certificate”

First, export the CA public certificate from certmgr:

  • Trusted Root Certification Authority\Certificates\<domain-ca>
    All Tasks → Export
    Base-64 encoded X.509 (.CER)

  • Name it:

DOMAIN_CA.cer

Reset Key Configuration (Optional)

Section titled “Reset Key Configuration (Optional)”

If needed:

Terminal window
no crypto pki certificate web-cert
no crypto pki ta-profile DOMAIN_CA

Configure Switch Identity

Section titled “Configure Switch Identity”

Give the switch an FQDN:

Terminal window
conf t
hostname SwitchName
domain-name ad.domain.com

Import Trusted CA Certificate

Section titled “Import Trusted CA Certificate”
Terminal window
crypto pki ta-profile DOMAIN_CA
  • Copy the contents of DOMAIN_CA.cer
  • Run:
Terminal window
ta-certificate import terminal
  • Paste the certificate
  • Press:
CTRL-D
  • Then press:
y

Verify:

Terminal window
show crypto pki ta-profile

Create Certificate and CSR

Section titled “Create Certificate and CSR”
Terminal window
crypto pki certificate web-cert
subject common-name SwitchName.ad.domain.com
key-type rsa key-size 2048

Generate the CSR:

Terminal window
enroll terminal
  • Copy the Base64-encoded CSR output

Submit CSR to CA

Section titled “Submit CSR to CA”

Navigate to:

http://<domain-ca>/certsrv/certrqxt.asp

  • Paste the CSR into the request box

  • In Additional Attributes, add:

san:dns=SwitchName.ad.domain.com&ipaddress=12.34.56.78

(use the LAN IP)

  • Select:
    • TemplateSSL Certificate
  • Click:
    • Submit >

After issuance:

  • Select:
    • Base 64 encoded
  • Click:
    • Download certificate

Prepare Certificate

Section titled “Prepare Certificate”
  • Open certnew.cer in Notepad
  • Copy the encoded certificate text to clipboard

Install Signed Certificate

Section titled “Install Signed Certificate”
Terminal window
crypto pki certificate web-cert
import terminal ta-profile DOMAIN_CA
  • Paste the certificate when prompted
  • Press ENTER

Verify:

Terminal window
show crypto pki certificate web-cert

Bind Certificate to HTTPS

Section titled “Bind Certificate to HTTPS”

Return to regular configuration mode:

Terminal window
https-server vrf mgmt
crypto pki application https-server certificate web-cert

Enable RADIUS (Optional)

Section titled “Enable RADIUS (Optional)”

To enable RADIUS authentication for HTTPS and REST access:

Terminal window
aaa authentication login https-server group radius local

Enable REST API

Section titled “Enable REST API”

Ensure REST API access is configured for Portweaver:

Terminal window
https-server rest access-mode read-write

Summary

Section titled “Summary”
  • CA certificate is imported as a ta-profile
  • CSR is generated and signed by the domain CA
  • Certificate is installed and bound to HTTPS
  • HTTP is replaced with secure HTTPS access

This enables secure management and API access on Aruba AOS-CX switches.