Solved

Wing Controller SSL Import

  • 21 March 2018
  • 9 replies
  • 643 views

Has anyone had any success importing SSL certificate from GoDaddy or other 3rd Party into Wing Controller?



We are able to import from a local CA but no 3rd party certs will work.
icon

Best answer by PatrykZ 17 April 2021, 16:01

Hi Folks,

Just wanted to mention that after an extensive troubleshooting session with the support from GTAC (Many thanks) we finally figure out what was wrong. 

At the beginning I was unable to import a trustpoint until we run crypto key import trustpoint <trustpoint_name> <path> , the custom trustpoint was visible from the controller perspective (Operations → Certificates), however, to distribute the trustpoint to Wing devices you must have a tarball file imported. This part was confusing because we were expecting that no further action is required since there was a trustpoint deployed.

In addition...the tarball file I attempted to upload was messed up because .tar archive was created from a directory containing three files [.prv, .ca, .crt]

The proper way to create a .tar file is by selecting all extracted files and creating a tar archive directly from them (make sure that trustpoint name matches the file names - only file extensions are different)

Once this was done, I was able to download / sync trustpoint with controller and remote AP. 

To synchronize the trustpoint, make sure that the new trustpoint is configured on the specific profiles, otherwise it won’t sync.

 

Usefull links :

https://extremeportal.force.com/ExtrArticleDetail?an=000082369

https://extremenetworks2com-my.sharepoint.com/personal/ayasin_extremenetworks_com/_layouts/15/onedrive.aspx?originalPath=aHR0cHM6Ly9leHRyZW1lbmV0d29ya3MyY29tLW15LnNoYXJlcG9pbnQuY29tLzpmOi9nL3BlcnNvbmFsL2F5YXNpbl9leHRyZW1lbmV0d29ya3NfY29tL0VqUmNCc25lYWJOR2pUZWo2bXBLN0xrQnJadnhGbTM0NnBOMFpYWEVLSGd4Vnc%5FcnRpbWU9Z3NpbkxzSUEyVWc&id=%2Fpersonal%2Fayasin%5Fextremenetworks%5Fcom%2FDocuments%2F02367627%2Fmytrust%2Ezip&parent=%2Fpersonal%2Fayasin%5Fextremenetworks%5Fcom%2FDocuments%2F02367627

https://extremeportal.force.com/ExtrArticleDetail?an=000082927

https://extremeportal.force.com/ExtrArticleDetail?an=000082442

https://extremeportal.force.com/ExtrArticleDetail?an=000059384

 

Below you can find the commands I run to import .tar file

  1. to import the tarball file

    file-sync load-file trustpoint xyz tftp://x.x.x.x/xyz.tar
     
  2. to check the download status

    vx9000-A9B6EC>show file-sync load-file-status
    Download of xyz trustpoint is complete
     
  3. to synchonize the trustpoint with Wing devices
    file-sync trustpoint <trustpoint name> rf-domain XXX
     
  4. to check the sync status
    show file-sync status
    show file-sync history
     
  5. to check if the trustpoint exists on AP/controller etc…
    show crypto pki trustpoints
    show crypto pki trustpoint on <AP/Controller/RF-Domain>
View original

9 replies

Hi Folks,

Just wanted to mention that after an extensive troubleshooting session with the support from GTAC (Many thanks) we finally figure out what was wrong. 

At the beginning I was unable to import a trustpoint until we run crypto key import trustpoint <trustpoint_name> <path> , the custom trustpoint was visible from the controller perspective (Operations → Certificates), however, to distribute the trustpoint to Wing devices you must have a tarball file imported. This part was confusing because we were expecting that no further action is required since there was a trustpoint deployed.

In addition...the tarball file I attempted to upload was messed up because .tar archive was created from a directory containing three files [.prv, .ca, .crt]

The proper way to create a .tar file is by selecting all extracted files and creating a tar archive directly from them (make sure that trustpoint name matches the file names - only file extensions are different)

Once this was done, I was able to download / sync trustpoint with controller and remote AP. 

To synchronize the trustpoint, make sure that the new trustpoint is configured on the specific profiles, otherwise it won’t sync.

 

Usefull links :

https://extremeportal.force.com/ExtrArticleDetail?an=000082369

https://extremenetworks2com-my.sharepoint.com/personal/ayasin_extremenetworks_com/_layouts/15/onedrive.aspx?originalPath=aHR0cHM6Ly9leHRyZW1lbmV0d29ya3MyY29tLW15LnNoYXJlcG9pbnQuY29tLzpmOi9nL3BlcnNvbmFsL2F5YXNpbl9leHRyZW1lbmV0d29ya3NfY29tL0VqUmNCc25lYWJOR2pUZWo2bXBLN0xrQnJadnhGbTM0NnBOMFpYWEVLSGd4Vnc%5FcnRpbWU9Z3NpbkxzSUEyVWc&id=%2Fpersonal%2Fayasin%5Fextremenetworks%5Fcom%2FDocuments%2F02367627%2Fmytrust%2Ezip&parent=%2Fpersonal%2Fayasin%5Fextremenetworks%5Fcom%2FDocuments%2F02367627

https://extremeportal.force.com/ExtrArticleDetail?an=000082927

https://extremeportal.force.com/ExtrArticleDetail?an=000082442

https://extremeportal.force.com/ExtrArticleDetail?an=000059384

 

Below you can find the commands I run to import .tar file

  1. to import the tarball file

    file-sync load-file trustpoint xyz tftp://x.x.x.x/xyz.tar
     
  2. to check the download status

    vx9000-A9B6EC>show file-sync load-file-status
    Download of xyz trustpoint is complete
     
  3. to synchonize the trustpoint with Wing devices
    file-sync trustpoint <trustpoint name> rf-domain XXX
     
  4. to check the sync status
    show file-sync status
    show file-sync history
     
  5. to check if the trustpoint exists on AP/controller etc…
    show crypto pki trustpoints
    show crypto pki trustpoint on <AP/Controller/RF-Domain>

Hi Folks,

Just wanted to mention that after an extensive troubleshooting session with the support from GTAC (Many thanks) we finally figure out what was wrong. 

After running crypto key import trustpoint <trustpoint_name> <path>  the custom trustpoint was visible from the controller perspective (Operations → Certificates), however, to distribute the trustpoint to Wing devices you must have a tarball file imported. This part was confusing because we were expecting that no further action is required since there was a trustpoint deployed.

In addition...the tarball file I attempted to upload was messed up because .tar archive was created from a directory containing three files [.prv, .ca, .crt]

The proper way to create a .tar file is by selecting all extracted files and creating a tar archive directly from them (make sure that trustpoint name matches the file names - only file extension are different)

Once this was done I was able to download / sync trustpoint with controller and remote AP. 

To synchronize the trustpoint, make sure that the new trustpoint is configured on the specific profiles, otherwise it won’t sync.

 

 

List of commands

  1. to import the tarball file

    file-sync load-file trustpoint xyztftp://x.x.x.x/xyz.tar
     
  2. to check the download status

    vx9000-A9B6EC>show file-sync load-file-status
    Download of wifi4pl trustpoint is complete
     
  3. to synchonize the captive portal
    file-sync trustpoint <trustpoint name> rf-domain xyz
     
  4. to check the status
    show file-sync status
    show file-sync history


 

 

Hello All,

Since a few days, I’m facing issues with importing a new trustpoint to VX9000 running 7.6.0.0-024R.

Here is what I did:

  1. I have received decrypted private key, chained CA, SSL certificate (DigiCert).
  2. I have downloaded a .crl file that was referenced in the SSL certificate.
  3. I have created .tar package containing all the above files with exactly the same filename (only the file extension is different)
  4. I attempted to upload the tarball to the controller as shown below                                                 vx9000-A9B6EC#file-sync load-file trustpoint xyz tftp://10.40.3.66/xyz.tar
    --------------------------------------------------------------------------------
           CONTROLLER           STATUS                     MESSAGE
    --------------------------------------------------------------------------------
      vx9000-A9B6EC         Success         Successfully initiated load file
    --------------------------------------------------------------------------------
    vx9000-A9B6EC#show file-sync load-file-status
    Download of xyztrustpoint is complete
    vx9000-A9B6EC# 
                                                                                                                                          
  5. I have changed the HTTPS Trustpoint under AP Profile currently assigned to the AP I’m using.                                                                                                                                                         
  6. I have initiated the distribution of the trustpoint to the remote AP                                               vx9000-A9B6EC#file-sync trustpoint xyz rf-domain MGMT-RF
    --------------------------------------------------------------------------------
           CONTROLLER         STATUS                     MESSAGE
    --------------------------------------------------------------------------------
      00-50-56-A9-B6-EC     Success     Added 1 rf-domain managers for file sync
    --------------------------------------------------------------------------------
    vx9000-A9B6EC#show file-sync history | grep 2021-04-14
          ap360-75E08E        done  2021-04-14 23:00:45        0      vx9000-A9B6EC -
          ap360-75E08E        done  2021-04-14 23:00:45        0      vx9000-A9B6EC -
          ap360-75E08E        done  2021-04-14 23:00:45        0      vx9000-A9B6EC -
          ap360-75E08E      failed  2021-04-14 22:59:55        3      vx9000-A9B6EC Error in loading trustpoint
          ap360-75E08E        done  2021-04-14 23:00:45        0      vx9000-A9B6EC -
    vx9000-A9B6EC# 
                                                                                                                                    
  7. I have verified if the trustpoint has been successfully installed, unfortunately, it seems not                                 

    vx9000-A9B6EC#show crypto pki trustpoints all on ap360-75E08E

    Trustpoint Name: default-trustpoint        (self signed)
    -------------------------------------------------------------------------------
      CRL present: no
      Server Certificate details:
        Key used:
        Serial Number: 03d8
        Subject Name:
          /CN=AP360-20-9E-F7-75-E0-8E
        Issuer Name:
          /CN=AP360-20-9E-F7-75-E0-8E
        Valid From : Wed Jan  1 00:00:31 2020 UTC
        Valid Until: Sat Dec 29 00:00:31 2029 UTC


    vx9000-A9B6EC#

  8. I’m not sure what I’m doing wrong here but I’m afraid the tarball I created contains a file which WING doesn’t like :). While looking at below procedure (page 3) I noticed that CA chained certificate must have a specific hierarchy beginning with Intermediate CA 1, 2, Root CA.                                                                                                                                              The decrypted CA chained I have looks like a single cert meaning there is only one section (-----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----). Not sure if this is the problem here...                                                                                                                                  For testing purpose, I have imported the .ca file to my computer and I’m able to see Root CA DigiCert and RapidSSL TLS DV RSA Mixed SHA256 2020 CA-https://extremenetworks2com.sharepoint.com/sites/kcs/Internal/Forms/AllItems.aspx?id=%2Fsites%2Fkcs%2FInternal%2F000036155%2FWING5%5FDistributed%5FTrustpoints%2Epdf&parent=%2Fsites%2Fkcs%2FInternal%2F000036155&p=true&originalPath=aHR0cHM6Ly9leHRyZW1lbmV0d29ya3MyY29tLnNoYXJlcG9pbnQuY29tLzpiOi9zL2tjcy9FWmRJbVNNWHVTeEluQUl1VEkteTRMSUI4ZXUyTnVFRTlpTEh5RWxaWjdZaTJBP3J0aW1lPWhKblh6cDMtMkVn                                                                                                                                          

  9. I tried to import a new trustpoint from GUI and I’m getting MEC2000E Major. Cannot Read: Cert ManagedAuthenticate CA Error. Further Details: Invalid CA certificate signature

Any thougts are greatly appreciated.

 

Regards,

Patryk

Userlevel 6
Yes. I import the whole chain. everything works fine until i get to importing the actual certificate.

The Root, Intermediates upload fine at first when creating the trust. When uploading the server cert I get an message saying that the private key doesnt match.

If I create the CSR from the controller itself, and get the certs signed, do the upload the the same way, I get a message saying that the private key isnt found in the datastore, even though the system creates it itself...

If I do from Microsoft CA, The upload works correctly as expected. Just not sure what the catch is with doing from 3rd Party CA's
Matt,

I managed to install Comodo certificate without issues



Let me know the case number and I'll take a look if not sorted yet.

Regards,
Ondrej
Yes. I import the whole chain. everything works fine until i get to importing the actual certificate.

The Root, Intermediates upload fine at first when creating the trust. When uploading the server cert I get an message saying that the private key doesnt match.

If I create the CSR from the controller itself, and get the certs signed, do the upload the the same way, I get a message saying that the private key isnt found in the datastore, even though the system creates it itself...

If I do from Microsoft CA, The upload works correctly as expected. Just not sure what the catch is with doing from 3rd Party CA's
I did and its been over a week troubleshooting with engineers. So I thought I would check here if someones actually been able to get this to work.
Userlevel 6
Yes. I import the whole chain. everything works fine until i get to importing the actual certificate.

The Root, Intermediates upload fine at first when creating the trust. When uploading the server cert I get an message saying that the private key doesnt match.

If I create the CSR from the controller itself, and get the certs signed, do the upload the the same way, I get a message saying that the private key isnt found in the datastore, even though the system creates it itself...

If I do from Microsoft CA, The upload works correctly as expected. Just not sure what the catch is with doing from 3rd Party CA's
Matt, I suggest to open a case with GTAC sonwe can take a look. There might be something small missing Regards, Ondrej
Yes. I import the whole chain. everything works fine until i get to importing the actual certificate.

The Root, Intermediates upload fine at first when creating the trust. When uploading the server cert I get an message saying that the private key doesnt match.

If I create the CSR from the controller itself, and get the certs signed, do the upload the the same way, I get a message saying that the private key isnt found in the datastore, even though the system creates it itself...

If I do from Microsoft CA, The upload works correctly as expected. Just not sure what the catch is with doing from 3rd Party CA's
Userlevel 7
Hello Matt, Can you make sure you import the whole chain? See this article on GTAC Knowledge Base < https://gtacknowledge.extremenetworks.com/pkb_mobile#article/l:en_US/kA134000000GxFJCA0/s > Regards, OndrejHere's a non-mobile link to the same article :)
https://extremeportal.force.com/ExtrArticleDetail?n=000014936

Userlevel 6
Hello Matt, Can you make sure you import the whole chain? See this article on GTAC Knowledge Base < https://gtacknowledge.extremenetworks.com/pkb_mobile#article/l:en_US/kA134000000GxFJCA0/s > Regards, Ondrej

Reply