How to upload certificate on SmartZone Controllers

Nayanendu — Wed, 21 Sep 2022 11:28:58 GMT

We have often come across a situation where we had to upload the wildcard certificate on the SmartZone controller. The reason, we do not want to get:

       Certificate error while accessing the management GUI of controller
       Certificate error while accessing the Captive Portal/Hotspot page on a WLAN

However, we run into issues while uploading the certificate on the controller like:

Hence, I will be guiding you with the step-by-step procedure of correctly uploading a certificate on the controller. In this guide, I will be talking about the steps of how to upload an SSL certificate and Wildcard certificate.

Following are some key points regarding the certificate:

Usually, an SSL certificate is generated using CSR (Certificate Signing Request) from the controller. Sometimes, it will be generated using CSR from an external server.
The wildcard certificate is always generated using CSR (Certificate Signing Request) from an external server. Below is the link which lists out the server from which you could generate CSR.

https://comodosslstore.com/resources/how-to-generate-a-csr-for-a-wildcard-ssl-certificate/

The private key is a separate file that's used in the encryption/decryption of data sent between your server and the connecting clients. Hence, would need a private key file along with the certificate bundle if the CSR is generated from the external server.
If the certificate is generated using CSR from the controller, then we do not need a separate private key file as it will be internally present on the controller’s certificate directory.

Once the certificate is signed by a valid Certificate Authority like GoDaddy, Comodo, Verisign, Digicert, etc. you will receive a certificate bundle in .pfx format, for example:

And if it is an SSL certificate it would look like below:

STEPS TO UPLOAD THE WILDCARD FILE:

The easier way to extract the server certificate and private key from .pfx format bundle is to use the Open SSL tool. Below is the link to download the OpenSSL tool:

https://www.openssl.org/source/

Place the pfx file into the OpenSSL's bin folder, and run the cmd using admin rights. example: cd CC:\OpenSSL-Win32\bin

Now run the below commands:

openssl pkcs12 -in WildCardCert.pfx -clcerts -nokeys -out Certificate.cer 
openssl pkcs12 -in WildCardCert.pfx -nocerts -nodes  -out private.key

NOTE:

1. Here is the certificate extension we are keeping as .cer and private key extension as .key format.

2. In the above, "WildCardCert.pfx" is the pfx cert you have with you. "Certificate.cer" is the file name for the cert exerted from pfx to .cer. And "private.key" is the private key.

3. It will ask for a password after each command to decrypt the certificate and private key. This password you would have created while generating the certificate. If no password was created and even if it prompts for a password, then just hit enter.

Once you have the cert in .cer format, open the WildCardCert.cer file and it will look like below:

You must extract the server, root, and intermediate certificate as shown above and import them all to vSZ in the correct sequence. For this task, you can use a windows machine.

To extract the Server Certificate, follow the below steps:

Open the Server Certificate file WildCardCert.cer. Navigate to Details and click on “Copy to File”

Click on Next.

Select Base-64 encoding (.CER) and click on Next.

Browse, where you want to save the file and click on Next.

Click on “Finish” and it would show “The export was successful”

Then, follow the below steps to export the intermediate cert:

Click on Intermediate Certificate and then click on View Certificate

Click on Copy to File and follow the same steps as you followed for the Server certificate.

Follow the same steps to extract the Root Certificate. Make sure all the certificates that we are extracting should be exported with the Base encoding of 64.

After you have all the certs (server, intermediate, and root). Then, navigate to the Controller’s System > Certificate > SZ as a server certificate > Import the respective files.

Upload the private.key and make sure NOT to use the key encryption password, as during the initial Open SSL commands you used the password to decrypt the certificate and key.

Then, click on Validate, it would show like below if the private key and certificates are correct and matching.

Map the “Test” certificate to the respective service:

NOTE: Once you click on OK, the controller services would be impacted for 30 minutes. Hence, it is always good to perform this activity during maintenance hours. Also, collect cluster backup prior to applying the certificate in the service. In case anything goes haywire, then we can revert to the previous configuration by restoring the backup.

STEPS TO UPLOAD THE SSL CERTIFICATE:

Once you open the file 511a3f836612e8b5.crt

It would show up like below:

Then follow the same steps as shown above to extract the server, root, and intermediate certificate. This time while uploading the SSL certificate on the controller you will need to add the Key passphrase if you have one. If not, you can keep it blank. Once the certificate is validated, apply it to the respective service.

Re: How to upload certificate on SmartZone Controllers

Teacup — Fri, 20 May 2022 15:17:13 GMT

Hi,

I'm on 5.2.2.0.317 and it says that "private key and certificate are not matched". I have verified with openssl the cert and private key are matched. I also use them in other systems just fine. Here is the command I use to generate the private key, and the wildcard cert is in Base-64 encoded X.509 (PEM format)

openssl genrsa -aes256 -out private.key 2048

Re: How to upload certificate on SmartZone Controllers

syamantakomer — Fri, 29 Jul 2022 21:42:13 GMT

Hi,

Try to export the cert as .cer with base-4 encoding and try again.

Re: How to upload certificate on SmartZone Controllers

Likith — Mon, 13 May 2024 16:39:53 GMT

Can we preform cert-based authentication on ruckus-zone director 3000.If yes under what type of certificate option should I upload the x.509 certificate ??

1)PKI signed

2) CA certificate

topic Re: How to upload certificate on SmartZone Controllers in RUCKUS Self-Help

How to upload certificate on SmartZone Controllers

Re: How to upload certificate on SmartZone Controllers

Re: How to upload certificate on SmartZone Controllers

Re: How to upload certificate on SmartZone Controllers