Extreme Networks

Matt_Compton · ‎03-21-2018

Has anyone had any success importing SSL certificate from GoDaddy or other 3rd Party into Wing Controller?

We are able to import from a local CA but no 3rd party certs will work.

PatrykZ · ‎04-17-2021

Hi Folks,

Just wanted to mention that after an extensive troubleshooting session with the support from GTAC (Many thanks) we finally figure out what was wrong.

At the beginning I was unable to import a trustpoint until we run crypto key import trustpoint <trustpoint_name> <path> , the custom trustpoint was visible from the controller perspective (Operations → Certificates), however, to distribute the trustpoint to Wing devices you must have a tarball file imported. This part was confusing because we were expecting that no further action is required since there was a trustpoint deployed.

In addition...the tarball file I attempted to upload was messed up because .tar archive was created from a directory containing three files [.prv, .ca, .crt]

The proper way to create a .tar file is by selecting all extracted files and creating a tar archive directly from them (make sure that trustpoint name matches the file names - only file extensions are different)

Once this was done, I was able to download / sync trustpoint with controller and remote AP.

To synchronize the trustpoint, make sure that the new trustpoint is configured on the specific profiles, otherwise it won’t sync.

Usefull links :

https://extremeportal.force.com/ExtrArticleDetail?an=000082369

https://extremenetworks2com-my.sharepoint.com/personal/ayasin_extremenetworks_com/_layouts/15/onedri...

https://extremeportal.force.com/ExtrArticleDetail?an=000082927

https://extremeportal.force.com/ExtrArticleDetail?an=000082442

https://extremeportal.force.com/ExtrArticleDetail?an=000059384

Below you can find the commands I run to import .tar file

to import the tarball file

file-sync load-file trustpoint xyz tftp://x.x.x.x/xyz.tar
to check the download status

vx9000-A9B6EC>show file-sync load-file-status
Download of xyz trustpoint is complete
to synchonize the trustpoint with Wing devices
file-sync trustpoint <trustpoint name> rf-domain XXX
to check the sync status
show file-sync status
show file-sync history
to check if the trustpoint exists on AP/controller etc…
show crypto pki trustpoints
show crypto pki trustpoint on <AP/Controller/RF-Domain>

View solution in original post

Matt_Compton · ‎03-22-2018

I did and its been over a week troubleshooting with engineers. So I thought I would check here if someones actually been able to get this to work.

Ondrej_Lepa · ‎03-22-2018

Matt, I suggest to open a case with GTAC sonwe can take a look. There might be something small missing Regards, Ondrej

Matt_Compton · ‎03-22-2018

Yes. I import the whole chain. everything works fine until i get to importing the actual certificate.

The Root, Intermediates upload fine at first when creating the trust. When uploading the server cert I get an message saying that the private key doesnt match.

If I create the CSR from the controller itself, and get the certs signed, do the upload the the same way, I get a message saying that the private key isnt found in the datastore, even though the system creates it itself...

If I do from Microsoft CA, The upload works correctly as expected. Just not sure what the catch is with doing from 3rd Party CA's

Drew_C · ‎03-22-2018

Here's a non-mobile link to the same article 🙂
https://extremeportal.force.com/ExtrArticleDetail?n=000014936

Ondrej_Lepa · ‎03-22-2018

Hello Matt, Can you make sure you import the whole chain? See this article on GTAC Knowledge Base < https://gtacknowledge.extremenetworks.com/pkb_mobile#article/l:en_US/kA134000000GxFJCA0/s > Regards, Ondrej

Extreme Networks

Wing Controller SSL Import

Wing Controller SSL Import