If you manage HPE Aruba Networking switches through Aruba Central, there’s an important change coming that may impact your ability to download firmware using the HTTPS protocol.

On November 1, 2025, HPE Aruba will replace the HTTPS server certificate used by Aruba Central’s content delivery network (CDN). Devices running specific software versions of AOS-S and AOS-CX may be unable to validate this new certificate—resulting in failed HTTPS firmware downloads unless action is taken.

What’s Changing?

HPE Aruba Networking Central is updating the HTTPS server certificate used to authenticate software downloads via its CDN. After November 1, 2025, affected Aruba switches that do not have the updated root CA certificate in their Trust Anchor library will fail to authenticate the server and will fall back to HTTP for firmware downloads.

This creates a problem for customers who rely on HTTPS and have firewalls or policies that block HTTP traffic. In these cases, firmware updates will stop working entirely unless the switch software is upgraded ahead of time.

Who Is Affected?

This change impacts Aruba Central-managed switches that meet all of the following criteria:

1. Use the HTTPS protocol for software downloads, and
2. Have a firewall or policy that blocks HTTP, and
3. Are running one of the AOS-S or AOS-CX software versions listed below

Affected AOS-S Software Versions

• AOS-S 16.11.xxxx: 16.11.0012 and above
• AOS-S 16.10.xxxx: 16.10.0025
• (16.09.xxxx and below are not affected because they use HTTP only)

Affected AOS-CX Software Versions

• 10.15.xxxx: all
• 10.14.xxxx: all
• 10.13.xxxx: all
• 10.12.xxxx: all (EoS)
• 10.11.xxxx: all (EoS)
• 10.10.xxxx: 10.10.1070 to 10.10.1160 (partially affected)

⚠️ If switches running these versions cannot verify the new HTTPS certificate, they will attempt to use HTTP. If HTTP is blocked, the device will fail to download firmware from Aruba Central.

Who Is Not Affected?

You are not affected if:

• Your switches use HTTP only for software downloads
• Your devices are running these software versions: AOS-S
  • 16.11.xxxx: 16.11.0011 and below
  • 16.10.xxxx: 16.10.0024 and below
  • 16.09.xxxx and older
  AOS-CX
  • 10.10.xxxx: 10.10.1060 and below
  • 10.09.xxxx and older
• Your switches are locally managed (not connected to Aruba Central)

What Happens If You Do Nothing?

• Devices will attempt to download firmware via HTTPS.
• If the new certificate is not trusted, the HTTPS connection will be rejected.
• The switch will fall back to HTTP.
• If HTTP is blocked, the switch will be unable to download updates.
• This will prevent future firmware upgrades through Aruba Central.

Required Action Before November 1, 2025

To avoid disruption, affected customers must upgrade their switches to a software version that includes the updated root certificate:

Recommended Software Versions

AOS-S (SwitchOS)

• Upgrade to 16.11.0026 or above

AOS-CX

• Upgrade to 10.15.1030 or above
• Or:
  • 10.14.1061 or above
  • 10.13.1110 or above
  • 10.10.1170 or above (if still using 10.10.xxxx)

✅ These versions include the updated certificate in the Trust Anchor library and will continue to work with Aruba Central’s new HTTPS setup after November 1, 2025.

Software End-of-Support Notes

• AOS-CX 10.10.xxxx: End of Support as of June 30, 2025
• AOS-S 16.10.xxxx: End of Support as of May 31, 2024
• AOS-S 16.09.xxxx: End of Support as of January 30, 2024

Summary: What You Need to Know

Final Recommendations

• Upgrade before November 1, 2025, to avoid firmware download failures.
• Review and adjust firewall rules if you intend to allow fallback to HTTP.
• Prefer HTTPS for secure software delivery.
• Stay on actively supported software to avoid security risks and compatibility issues.

If you’re unsure which version your Aruba switch is running, or need assistance identifying the correct upgrade path, contact your network integrator or refer to the HPE Networking Support Portal.