cancel
Showing results for 
Search instead for 
Did you mean: 

How to upload certificate on SmartZone Controllers

Nayanendu
Moderator
Moderator

We have often come across a situation where we had to upload the wildcard certificate on the SmartZone controller. The reason, we do not want to get: 

  •        Certificate error while accessing the management GUI of controller
  •        Certificate error while accessing the Captive Portal/Hotspot page on a WLAN

However, we run into issues while uploading the certificate on the controller like: 

 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_c7d0ffe92e6395b6ca9d9bc77f652b52_Image1-30b7715f-5a54-4719-88ba-d52f474d5f22-506092585.JPG

 

Hence, I will be guiding you with the step-by-step procedure of correctly uploading a certificate on the controller. In this guide, I will be talking about the steps of how to upload an SSL certificate and Wildcard certificate.  

Following are some key points regarding the certificate: 

  • Usually, an SSL certificate is generated using CSR (Certificate Signing Request) from the controller. Sometimes, it will be generated using CSR from an external server.
  • The wildcard certificate is always generated using CSR (Certificate Signing Request) from an external server. Below is the link which lists out the server from which you could generate CSR.

https://comodosslstore.com/resources/how-to-generate-a-csr-for-a-wildcard-ssl-certificate/ 

  • The private key is a separate file that's used in the encryption/decryption of data sent between your server and the connecting clients. Hence, would need a private key file along with the certificate bundle if the CSR is generated from the external server. 
  • If the certificate is generated using CSR from the controller, then we do not need a separate private key file as it will be internally present on the controller’s certificate directory.

Once the certificate is signed by a valid Certificate Authority like GoDaddy, Comodo, Verisign, Digicert, etc. you will receive a certificate bundle in .pfx format, for example: 

 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_e8a45b103bc8c9371e5c10546f40da23_Image2-122b672d-683a-4b13-b7c5-772ba6916e38-507016106.JPG

 

And if it is an SSL certificate it would look like below: 

 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_9e329e8deee9dee8ff2eef216052c221_Image3-c7d7b806-119d-4b24-8a20-88314082f33d-507939627.JPG

 

STEPS TO UPLOAD THE WILDCARD FILE: 

 

The easier way to extract the server certificate and private key from .pfx format bundle is to use the Open SSL tool. Below is the link to download the OpenSSL tool: 

https://www.openssl.org/source/ 

 

Place the pfx file into the OpenSSL's bin folder, and run the cmd using admin rights. example: cd CC:\OpenSSL-Win32\bin 

Now run the below commands: 

 

openssl pkcs12 -in WildCardCert.pfx -clcerts -nokeys -out Certificate.cer 
openssl pkcs12 -in WildCardCert.pfx -nocerts -nodes  -out private.key 

NOTE:  

1. Here is the certificate extension we are keeping as .cer and private key extension as .key format. 

2. In the above, "WildCardCert.pfx" is the pfx cert you have with you. "Certificate.cer" is the file name for the cert exerted from pfx to .cer. And "private.key" is the private key. 

3. It will ask for a password after each command to decrypt the certificate and private key. This password you would have created while generating the certificate. If no password was created and even if it prompts for a password, then just hit enter. 

  

Once you have the cert in .cer format, open the WildCardCert.cer file and it will look like below:

 

 Image_ images_messages_61e4f2f9f693d71b8f6f705d_1df405ed42235341b187d550832252bd_Image4-4db81526-da5a-4062-9854-996d0a4519ba-508863148.JPG

 

You must extract the server, root, and intermediate certificate as shown above and import them all to vSZ in the correct sequence. For this task, you can use a windows machine. 

 

To extract the Server Certificate, follow the below steps: 

 

Open the Server Certificate file WildCardCert.cer. Navigate to Details and click on “Copy to File”

 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_51d8d5d082b49078b5826ecfc86ab89f_Image5-56988382-db57-4be5-a150-b61533e2b881-509786669.JPG

 

Click on Next. 

 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_210a6b207cf43103f9e7959d432aa010_Image6-2dbb3e94-fd8e-40d8-b7d3-e9e2c588aa7c-510710190.JPG

 

Select Base-64 encoding (.CER) and click on Next.

 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_676238249298fdf5a836e12f9b4953a8_Image7-87e0f17d-24b5-40f3-93a7-cdb60c7e0eb6-511633711.JPG

 

Browse, where you want to save the file and click on Next. 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_b8e730eaac0c58852b41386d75bffab9_Image9-adf5b0a1-32be-4907-8ad6-c4721395e322-513480753.JPG

 

Click on “Finish” and it would show “The export was successful” 

 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_f7c1d1ff508071ed3fa8101b341f047a_Image10-0c8d737b-513f-4b08-89f6-4b1ff11f5799-1489991571.JPG

Image_ images_messages_61e4f2f9f693d71b8f6f705d_6fb9737ed647e0b6d8ca0615f0b40108_Image11-af06c1f5-bc69-499f-bdca-d4e584183f60-1489068050.JPG

 

Then, follow the below steps to export the intermediate cert: 

 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_9253dea8b1cefa04091f7de99479d383_Image12-ae8fe7c2-5edb-4cc9-a450-41ce601841bd-1488144529.JPG

 

Click on Intermediate Certificate and then click on View Certificate 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_b4198d2cb69addf688f69978bae68ac5_Image13-8b935177-3d0e-423c-b42a-0b871af71aad-1487221008.JPG

 

Click on Copy to File and follow the same steps as you followed for the Server certificate.

 Image_ images_messages_61e4f2f9f693d71b8f6f705d_dc2becc2562510fd206dcdc1c3ea48dc_Image14-8cc5e6df-07d7-400c-a4e3-d2071ade3145-1486297487.JPG

 

Follow the same steps to extract the Root Certificate. Make sure all the certificates that we are extracting should be exported with the Base encoding of 64. 

 

After you have all the certs (server, intermediate, and root). Then, navigate to the Controller’s System > Certificate > SZ as a server certificate > Import the respective files. 

 

Upload the private.key and make sure NOT to use the key encryption password, as during the initial Open SSL commands you used the password to decrypt the certificate and key. 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_7615de4b77864d2fe55b073e84b729b2_Image15-54ea6252-0511-4dc6-a058-17dc2bb43f72-1485373966.JPG

 

Then, click on Validate, it would show like below if the private key and certificates are correct and matching. 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_428f1e4c6d8efeb3ae40855d6c2f92f5_Image16-40a40d38-6469-458e-affd-6205daaa42e4-1484450445.JPG

 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_d527fe55719a84fec6a149ed5064601a_Image17-a8530e36-6fe6-4f13-91fc-7ba9bc4061a4-1483526924.JPG

 

Map the “Test” certificate to the respective service: 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_8717890d4aa0f60c1b9a14ac81117ab4_Image18-f1791142-0ff5-4a2d-925c-0030dcb0bcbc-1482603403.JPG

 

NOTE: Once you click on OK, the controller services would be impacted for 30 minutes. Hence, it is always good to perform this activity during maintenance hours. Also, collect cluster backup prior to applying the certificate in the service. In case anything goes haywire, then we can revert to the previous configuration by restoring the backup. 

 

STEPS TO UPLOAD THE SSL CERTIFICATE: 

 

Once you open the file 511a3f836612e8b5.crt 

 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_07f456acebe82213f4a6da83d4ab85f0_Image19-c1454a35-4bae-4bbd-b415-1dc3773506fc-1481679882.JPG

It would show up like below: 

 

Image_ images_messages_61e4f2f9f693d71b8f6f705d_d1091f6a0a879df1add27f719bc6e512_Image20-0c068284-6bbd-4ef8-aeb8-86a3fef8b738-1461362420.JPG

 

Then follow the same steps as shown above to extract the server, root, and intermediate certificate. This time while uploading the SSL certificate on the controller you will need to add the Key passphrase if you have one. If not, you can keep it blank. Once the certificate is validated, apply it to the respective service. 

 

3 REPLIES 3

Teacup
New Contributor

Hi,

I'm on 5.2.2.0.317 and it says that "private key and certificate are not matched". I have verified with openssl the cert and private key are matched. I also use them in other systems just fine. Here is the command I use to generate the private key, and the wildcard cert is in Base-64 encoded X.509 (PEM format)

openssl genrsa -aes256 -out private.key 2048

 

Hi,

Try to export the cert as .cer with base-4 encoding and try again.


Syamantak Omer
Sr.Staff TSE | CWNA | CCNA | RCWA | RASZA | RICXI
RUCKUS Networks, CommScope!
Follow me on LinkedIn

Likith
New Contributor

Can we preform cert-based authentication on ruckus-zone director 3000.If yes under what type of certificate option should I upload the x.509 certificate ??

1)PKI signed 

2) CA certificate