The correct answer is A. A public CA signed certificate should be deployed. The browser warning appears because the captive portal is presenting a self-signed certificate that the client device does not trust. For guest access, client devices are usually unmanaged and cannot be expected to already trust an internal or self-signed certificate authority. HPE Aruba Networking documentation for captive portal deployments recommends that production environments obtain and install a certificate issued for the site or domain by a well-known Certificate Authority. This avoids browser trust warnings and gives guest users confidence that they are connecting to the correct portal. Option B is incorrect because disabling HTTPS and using HTTP would reduce security and expose portal traffic. Option C may work only for managed devices where the self-signed or private CA can be pushed into the trust store, but that is not practical for open wired guest access. Option D can be valid for internal managed users, but for guests, a public trusted CA certificate is the best answer.