We have a number of HMOL 230's on our network.
A recent vulnerability scan highlighted that all had an identical Certificate, not certifiable and not corresponding to a DNS entry.
What used this and can I replace with a certificate from a cert authority ?
Can you help me to understand the problem that you are trying to solve? What issue/vulnerability do you see existing here?
You do not day-to-day manage the APs via this route, that takes place via HiveManager.
The service available at https://ap_ip_address/ is only used for initial, basic configuration tasks or firmware updates normally before an AP is configured and working, and in atypical circumstances. At that point, you would not have been able to install a certificate anyway.
We don't manage the APs directly , we use Hivemanager as you describe. The problem is the vulnerability report lists the APs certs as high risk:
"The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate"
do the AP need a cert installed ?
It is not at all a high risk, or even a medium risk, due to what is available via HTTPS on an AP and what that gets used for.
This is where the report falls down, it has no context on which to score.
While there are enhancements we could make, this is not something that has much of an impact from a security perspective due to the reason that I explained.
is it possible to disable 443 on the APs ? Capwap doesn't rely on it ?