Extreme Networks

Hi Folks,

Just wanted to mention that after an extensive troubleshooting session with the support from GTAC (Many thanks) we finally figure out what was wrong. 

After running crypto key import trustpoint <trustpoint_name> <path>  the custom trustpoint was visible from the controller perspective (Operations → Certificates), however, to distribute the trustpoint to Wing devices you must have a tarball file imported. This part was confusing because we were expecting that no further action is required since there was a trustpoint deployed.

In addition...the tarball file I attempted to upload was messed up because .tar archive was created from a directory containing three files [.prv, .ca, .crt]

The proper way to create a .tar file is by selecting all extracted files and creating a tar archive directly from them (make sure that trustpoint name matches the file names - only file extension are different)

Once this was done I was able to download / sync trustpoint with controller and remote AP. 

To synchronize the trustpoint, make sure that the new trustpoint is configured on the specific profiles, otherwise it won’t sync.

List of commands

1. to import the tarball file
   
   file-sync load-file trustpoint xyztftp://x.x.x.x/xyz.tar
    
2. to check the download status
   
   vx9000-A9B6EC>show file-sync load-file-status
   Download of wifi4pl trustpoint is complete
    
3. to synchonize the captive portal
   file-sync trustpoint <trustpoint name> rf-domain xyz
    
4. to check the status
   show file-sync status
   show file-sync history

Hello All,

Since a few days, I’m facing issues with importing a new trustpoint to VX9000 running 7.6.0.0-024R.

Here is what I did:

1. I have received decrypted private key, chained CA, SSL certificate (DigiCert).
2. I have downloaded a .crl file that was referenced in the SSL certificate.
3. I have created .tar package containing all the above files with exactly the same filename (only the file extension is different)
4. I attempted to upload the tarball to the controller as shown below                                                 vx9000-A9B6EC#file-sync load-file trustpoint xyz tftp://10.40.3.66/xyz.tar
   --------------------------------------------------------------------------------
          CONTROLLER           STATUS                     MESSAGE
   --------------------------------------------------------------------------------
     vx9000-A9B6EC         Success         Successfully initiated load file
   --------------------------------------------------------------------------------
   vx9000-A9B6EC#show file-sync load-file-status
   Download of xyztrustpoint is complete
   vx9000-A9B6EC#                                                                                                                                        
5. I have changed the HTTPS Trustpoint under AP Profile currently assigned to the AP I’m using.                                                                                                                                                         
6. I have initiated the distribution of the trustpoint to the remote AP                                               vx9000-A9B6EC#file-sync trustpoint xyz rf-domain MGMT-RF
   --------------------------------------------------------------------------------
          CONTROLLER         STATUS                     MESSAGE
   --------------------------------------------------------------------------------
     00-50-56-A9-B6-EC     Success     Added 1 rf-domain managers for file sync
   --------------------------------------------------------------------------------
   vx9000-A9B6EC#show file-sync history | grep 2021-04-14
         ap360-75E08E        done  2021-04-14 23:00:45        0      vx9000-A9B6EC -
         ap360-75E08E        done  2021-04-14 23:00:45        0      vx9000-A9B6EC -
         ap360-75E08E        done  2021-04-14 23:00:45        0      vx9000-A9B6EC -
         ap360-75E08E      failed  2021-04-14 22:59:55        3      vx9000-A9B6EC Error in loading trustpoint
         ap360-75E08E        done  2021-04-14 23:00:45        0      vx9000-A9B6EC -
   vx9000-A9B6EC#                                                                                                                                 
7. I have verified if the trustpoint has been successfully installed, unfortunately, it seems not                                 

   vx9000-A9B6EC#show crypto pki trustpoints all on ap360-75E08E

   Trustpoint Name: default-trustpoint        (self signed)
   -------------------------------------------------------------------------------
     CRL present: no
     Server Certificate details:
       Key used:
       Serial Number: 03d8
       Subject Name:
         /CN=AP360-20-9E-F7-75-E0-8E
       Issuer Name:
         /CN=AP360-20-9E-F7-75-E0-8E
       Valid From : Wed Jan  1 00:00:31 2020 UTC
       Valid Until: Sat Dec 29 00:00:31 2029 UTC

   
   vx9000-A9B6EC#

8. I’m not sure what I’m doing wrong here but I’m afraid the tarball I created contains a file which WING doesn’t like :). While looking at below procedure (page 3) I noticed that CA chained certificate must have a specific hierarchy beginning with Intermediate CA 1, 2, Root CA.                                                                                                                                              The decrypted CA chained I have looks like a single cert meaning there is only one section (-----BEGIN CERTIFICATE----- & -----END CERTIFICATE-----). Not sure if this is the problem here...                                                                                                                                  For testing purpose, I have imported the .ca file to my computer and I’m able to see Root CA DigiCert and RapidSSL TLS DV RSA Mixed SHA256 2020 CA-https://extremenetworks2com.sharepoint.com/sites/kcs/Internal/Forms/AllItems.aspx?id=%2Fsites%2Fkcs%...                                                                                                                                          

9. I tried to import a new trustpoint from GUI and I’m getting MEC2000E Major. Cannot Read: Cert ManagedAuthenticate CA Error. Further Details: Invalid CA certificate signature

Any thougts are greatly appreciated.

Regards,

Patryk