We are able to import from a local CA but no 3rd party certs will work.
Best answer by PatrykZ
Just wanted to mention that after an extensive troubleshooting session with the support from GTAC (Many thanks) we finally figure out what was wrong.
At the beginning I was unable to import a trustpoint until we run crypto key import trustpoint <trustpoint_name> <path> , the custom trustpoint was visible from the controller perspective (Operations → Certificates), however, to distribute the trustpoint to Wing devices you must have a tarball file imported. This part was confusing because we were expecting that no further action is required since there was a trustpoint deployed.
In addition...the tarball file I attempted to upload was messed up because .tar archive was created from a directory containing three files [.prv, .ca, .crt]
The proper way to create a .tar file is by selecting all extracted files and creating a tar archive directly from them (make sure that trustpoint name matches the file names - only file extensions are different)
Once this was done, I was able to download / sync trustpoint with controller and remote AP.
To synchronize the trustpoint, make sure that the new trustpoint is configured on the specific profiles, otherwise it won’t sync.
Usefull links :
Below you can find the commands I run to import .tar file
- to import the tarball file
file-sync load-file trustpoint xyz tftp://x.x.x.x/xyz.tar
- to check the download status
vx9000-A9B6EC>show file-sync load-file-status
Download of xyz trustpoint is complete
- to synchonize the trustpoint with Wing devices
file-sync trustpoint <trustpoint name> rf-domain XXX
- to check the sync status
show file-sync status
show file-sync history
- to check if the trustpoint exists on AP/controller etc…
show crypto pki trustpoints
show crypto pki trustpoint on <AP/Controller/RF-Domain>