CommScope RUCKUS Community Forums

bhusan_gupta · ‎07-18-2021

I strongly suspect that Ruckus can't handle private keys in EC format (unlike RSA). My problem is as follows:

I am attempting to install a new custom certificate from Let's Encrypt created by the acme plug-in on pfsense. The certificate create process executes without a hitch and I have valid files: <fqdn>.{crt, key, fullchain, ca, all.pem}. The certificate is using EC which LE is now generating in production and most of my servers can use them without issues.

However, when I try to import the crt and key using the Unleashed interface, the error that is returned states that the private key does not match the certificate : "The imported private key still does not match your imported certificate. The imported certificate and private key will be discarded. Please import certificate file again."

I have also imported the <fqdn>.ca file as additional trusted CAs in the Advanced tab.

The key file has the following format:

-----BEGIN EC PARAMETERS-----
B<altered data>==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIG<altered data>=
-----END EC PRIVATE KEY-----

The key file passes an openssl check as follows (altered data):

openssl ec -in <fqdn>.key -check
read EC key
EC Key valid.
writing EC key
-----BEGIN EC PRIVATE KEY-----
M<ALTERED DATA>=
-----END EC PRIVATE KEY-----

The cert (<fqdn>.crt) passes an openssl check with the 'Signature Algorithm: ecdsa-with-SHA384'

As an aside, I have tried both manually importing the certificates through the Unleashed GUI as well as the cool script referenced here (pfsense -> acme -> unleashed): https://github.com/ms264556/Hackery/blob/master/pages/PfSenseLetsEncryptToRuckus.md

syamantakomer · ‎07-20-2021

ECDSA key and certificate is supported on our SmartZone platform with 5.2.2 version and above.

What is the Unleashed firmware on your setup?

I am not sure if we support it on Unleashed, could you try to upgrade latest (200.10) and see if that works?

bhusan_gupta · ‎07-20-2021

@syamantak_omer

I should have mentioned that I am running Unleashed 200.10.10.5.229 on my R750(s). So I suspect that Unleashed might be lagging a bit from SZ in terms of certificate support?

syamantakomer · ‎07-21-2021

Hi Bhusan,

I am checking if we support it on Unleashed/ZD yet or not.

syamantakomer · ‎07-26-2021

I have checked this internally with concerned team, as of now this is not supported and there are no future plan to support it.

If required, you can reach out to your regional Ruckus system engineer and they can help you to open a feature request on your behalf.

bhusan_gupta · ‎07-26-2021

@syamantak_omer Thanks for the follow-up and confirmation about the missing support of EC keys in Unleashed. I assume because the feature does exist in ZD that it would be technically possible to add to Unleashed.

Given that I don't have a support contract, I am not sure that I would be able to ask for a feature request through the regional system engineer. But hope that other folks with support contracts can ask for the EC support as it is the coming default encryption protocol of record.

CommScope RUCKUS Community Forums

Problem importing custom certificate (EC signature format)