cancel
Showing results for 
Search instead for 
Did you mean: 

How to Install a Certificate on SZ/vSZ?

remya_murugesh
New Contributor II

How to Install a Certificate on SZ/vSZ?

  1. Generate the CSR from any node, or the same can be generated from a third part device:

System >> Certificates >> CSR >> Generate

remya_murugesh_0-1656526482177.png

  1. Fill in the details and submit the same to a CA authority

remya_murugesh_1-1656526482182.png

Now, you will be able to see the same CSR in all nodes in the cluster

 

  1. Once the certificate is received, import the certificate to SZ from System >> Certificates >>  SZ as a Server Cert

Browse and select the Server, Intermediate and Root certificates accordingly for the intended certificate

Alternatively, you may chain all the related certificates to a single file in .pem format and map the same against Server Certificate

Chaining order: Server, Intermediate and Root

 

  1. Apply Private Key

Select the CSR associated with the certificate for private key

For a third party generated CSR, upload the private key along with the associated certificates

Note: The certificate formats supported are only PEM and CRT

 

  1. Click on the Validate certificate and Click OK once the validate summary is displayed

remya_murugesh_2-1656526482186.png

Once the certificate is successfully uploaded, you can again crosscheck the certificate availability on each node in cluster

  1. Then the certificate can be mapped against the preferred services from System >> Certificates >> Certificate to Service Mapping

remya_murugesh_3-1656526482188.png

  • Management Web : Used by Web UI and Public API traffic
  • AP Portal: Used by Web Auth WLAN and Guest Access WLAN control traffic
  • Hostpot Wispr: Used by WISPr WLAN control (Northbound Interface, Captive Portal, and Internal Subscriber Portal) traffic
  • Ruckus Intra device: Used by AP control traffic

This will again be synced among the cluster nodes.

Please note that the certificate import would initiate a service restart on the web and subscriber management applications. You can verify the status of the services from SZ CLI:

>en

<enable password>

#show service

 

 

Thanks
Remya Murugesh
Sr. Technical Support Engineer
1 REPLY 1

eizens_putnins
Valued Contributor

Very useful clarification, documentation isn't describing this important task in detail. I think it is important to mention that certificate should be a wildcard certificate, as the same certificate is used on all vSZ or SZ nodes in a cluster, so it must be valid for multiple FQDNs.

Therefore the cheapest certificate will not do  -- except if you can use FQDN for one node as domain.com and for another -- www.domain.com , this will work as by default most certificates include both names. You can import simple one-domain certificate, but than you will be able connect securely to only one node, to the second node you'll need to connect only using IP and will be getting warning in a browser - modern browser don't allow connection by name to site with wrong certificate... 

Services restart after certificate change can easy take 30 minutes, so don't be warried that you broke the system.