topic Re: Problem importing custom certificate (EC signature format) in Unleashed

Problem importing custom certificate (EC signature format)

bhusan_gupta — Sun, 18 Jul 2021 17:33:11 GMT

I strongly suspect that Ruckus can't handle private keys in EC format (unlike RSA). My problem is as follows:

I am attempting to install a new custom certificate from Let's Encrypt created by the acme plug-in on pfsense. The certificate create process executes without a hitch and I have valid files: <fqdn>.{crt, key, fullchain, ca, all.pem}. The certificate is using EC which LE is now generating in production and most of my servers can use them without issues.

However, when I try to import the crt and key using the Unleashed interface, the error that is returned states that the private key does not match the certificate : "The imported private key still does not match your imported certificate. The imported certificate and private key will be discarded. Please import certificate file again."

I have also imported the <fqdn>.ca file as additional trusted CAs in the Advanced tab.

The key file has the following format:

-----BEGIN EC PARAMETERS-----
B<altered data>==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIG<altered data>=
-----END EC PRIVATE KEY-----

The key file passes an openssl check as follows (altered data):

openssl ec -in <fqdn>.key -check
read EC key
EC Key valid.
writing EC key
-----BEGIN EC PRIVATE KEY-----
M<ALTERED DATA>=
-----END EC PRIVATE KEY-----

The cert (<fqdn>.crt) passes an openssl check with the 'Signature Algorithm: ecdsa-with-SHA384'

As an aside, I have tried both manually importing the certificates through the Unleashed GUI as well as the cool script referenced here (pfsense -> acme -> unleashed): https://github.com/ms264556/Hackery/blob/master/pages/PfSenseLetsEncryptToRuckus.md

Re: Problem importing custom certificate (EC signature format)

syamantakomer — Mon, 19 Jul 2021 20:38:51 GMT

Hi Bhusan,

Try below article and follow as it is on Unleashed.

KBA is indented for ZD product but process is similar on Unleashed.

https://support.ruckuswireless.com/articles/000001561

If you are still having issues, try to convert your cert chain to .cer with base-64 encoding and then upload the chain with key.

Re: Problem importing custom certificate (EC signature format)

bhusan_gupta — Mon, 19 Jul 2021 20:48:20 GMT

@syamantak_omer

Don't have the correct level of support account to see that KB article. Hence my post...

Re: Problem importing custom certificate (EC signature format)

syamantakomer — Mon, 19 Jul 2021 20:49:53 GMT

@bhusan_gupta

To accomplish the Wild-Card Installation on Zone-Director

1. Make sure you have certificate(s) in ".cer" format with "base-64" encoding and also make sure that you have complete chain of certificates (Wildcard >> intermediate >> root) along with private key in ".key" format.

Note: If you have certificate in ".pfx" format, please use OpenSSL or any other third party application to extract the certificate and key from ".pfx" to ".cer" and ".key" formats.

2. Once you have all above contains ready, Import the wildcard cert into the ZD.

For 9.x firmwares: go to ZD Web GUI >> Configure >> Certificate >> Import Signed Certificate
For 10.1.x firmwares: go to ZD Web GUI >> Administer >> Certificate >> Import Signed Certificate

3. The ZD will prompt for the private key as the ZD will sense that the certs private key and the private key the ZD has are different.

4. Once the private key is imported the ZD will prompt for the cert again as it will sense that the cert it has and the private key it has doesn't match

5. Once import the cert again, this time the cert's private key and the private key which the ZD has are same so ZD imports the cert, but figures out that the cert is wildcard so prompts for the hostname.

6. Choose the hostname and make sure you create an entry on your DNS for ZD's IP address with new FQDN created for ZD.

7. Now continue installing intermediate and then root certificate.

8. Once chain is completed, select restart ZD, ZD will come up this time with certificate installed on it.

At this point the ZD will use that cert for all further SSL connections and the web auth and guest pass redirects will use the FQDN in the URL.

Re: Problem importing custom certificate (EC signature format)

bhusan_gupta — Mon, 19 Jul 2021 21:18:01 GMT

@syamantak_omer

Thanks for the instructions. I have followed the steps above but still have the same issue (not able to import). My certificates are in Base-64 format (I pasted snippets of them in my original message). While the file extension is .crt for the certificate, the contents are the same as a Base-64 cer file. I have tried to import the cert (not wildcard but FQDN) and then the key only to have the process halt between step 3 & 4. The difference is that I am using a EC (elliptic curve) key system and not a RSA. I can run the following command on the crt and openssl returns the correct information:

openssl x509 -in <fqdn>.crt -text -noout

Re: Problem importing custom certificate (EC signature format)

syamantakomer — Tue, 20 Jul 2021 21:20:15 GMT

ECDSA key and certificate is supported on our SmartZone platform with 5.2.2 version and above.

What is the Unleashed firmware on your setup?

I am not sure if we support it on Unleashed, could you try to upgrade latest (200.10) and see if that works?

Re: Problem importing custom certificate (EC signature format)

bhusan_gupta — Tue, 20 Jul 2021 21:28:27 GMT

@syamantak_omer

I should have mentioned that I am running Unleashed 200.10.10.5.229 on my R750(s). So I suspect that Unleashed might be lagging a bit from SZ in terms of certificate support?

Re: Problem importing custom certificate (EC signature format)

syamantakomer — Wed, 21 Jul 2021 14:35:08 GMT

Hi Bhusan,

I am checking if we support it on Unleashed/ZD yet or not.

Re: Problem importing custom certificate (EC signature format)

syamantakomer — Mon, 26 Jul 2021 14:47:25 GMT

I have checked this internally with concerned team, as of now this is not supported and there are no future plan to support it.

If required, you can reach out to your regional Ruckus system engineer and they can help you to open a feature request on your behalf.

Re: Problem importing custom certificate (EC signature format)

bhusan_gupta — Mon, 26 Jul 2021 17:17:45 GMT

@syamantak_omer Thanks for the follow-up and confirmation about the missing support of EC keys in Unleashed. I assume because the feature does exist in ZD that it would be technically possible to add to Unleashed.

Given that I don't have a support contract, I am not sure that I would be able to ask for a feature request through the regional system engineer. But hope that other folks with support contracts can ask for the EC support as it is the coming default encryption protocol of record.

Re: Problem importing custom certificate (EC signature format)

syamantakomer — Mon, 09 Aug 2021 13:23:09 GMT

Hi @bhusan_gupta ,

This is not supported on Unleashed and there is no plan to support in near future.

If this is critical for you or if you need this to be supported on Unleashed, please reach out to your regional RUCKUS system engineer, who can help you to raise a feature request on your behalf.