cancel
Showing results for 
Search instead for 
Did you mean: 

Wing Controller SSL Import

Wing Controller SSL Import

Matt_Compton
New Contributor
Has anyone had any success importing SSL certificate from GoDaddy or other 3rd Party into Wing Controller?

We are able to import from a local CA but no 3rd party certs will work.
1 ACCEPTED SOLUTION

PatrykZ
New Contributor II

Hi Folks,

Just wanted to mention that after an extensive troubleshooting session with the support from GTAC (Many thanks) we finally figure out what was wrong. 

At the beginning I was unable to import a trustpoint until we run crypto key import trustpoint <trustpoint_name> <path> , the custom trustpoint was visible from the controller perspective (Operations → Certificates), however, to distribute the trustpoint to Wing devices you must have a tarball file imported. This part was confusing because we were expecting that no further action is required since there was a trustpoint deployed.

In addition...the tarball file I attempted to upload was messed up because .tar archive was created from a directory containing three files [.prv, .ca, .crt]

The proper way to create a .tar file is by selecting all extracted files and creating a tar archive directly from them (make sure that trustpoint name matches the file names - only file extensions are different)

Once this was done, I was able to download / sync trustpoint with controller and remote AP. 

To synchronize the trustpoint, make sure that the new trustpoint is configured on the specific profiles, otherwise it won’t sync.

 

Usefull links :

https://extremeportal.force.com/ExtrArticleDetail?an=000082369

https://extremenetworks2com-my.sharepoint.com/personal/ayasin_extremenetworks_com/_layouts/15/onedri...

https://extremeportal.force.com/ExtrArticleDetail?an=000082927

https://extremeportal.force.com/ExtrArticleDetail?an=000082442

https://extremeportal.force.com/ExtrArticleDetail?an=000059384

 

Below you can find the commands I run to import .tar file

  1. to import the tarball file

    file-sync load-file trustpoint xyz tftp://x.x.x.x/xyz.tar
     
  2. to check the download status

    vx9000-A9B6EC>show file-sync load-file-status
    Download of xyz trustpoint is complete
     
  3. to synchonize the trustpoint with Wing devices
    file-sync trustpoint <trustpoint name> rf-domain XXX
     
  4. to check the sync status
    show file-sync status
    show file-sync history
     
  5. to check if the trustpoint exists on AP/controller etc…
    show crypto pki trustpoints
    show crypto pki trustpoint on <AP/Controller/RF-Domain>

View solution in original post

9 REPLIES 9

Matt_Compton
New Contributor
I did and its been over a week troubleshooting with engineers. So I thought I would check here if someones actually been able to get this to work.

Ondrej_Lepa
Extreme Employee
Matt, I suggest to open a case with GTAC sonwe can take a look. There might be something small missing Regards, Ondrej

Matt_Compton
New Contributor
Yes. I import the whole chain. everything works fine until i get to importing the actual certificate.

The Root, Intermediates upload fine at first when creating the trust. When uploading the server cert I get an message saying that the private key doesnt match.

If I create the CSR from the controller itself, and get the certs signed, do the upload the the same way, I get a message saying that the private key isnt found in the datastore, even though the system creates it itself...

If I do from Microsoft CA, The upload works correctly as expected. Just not sure what the catch is with doing from 3rd Party CA's

Drew_C
Valued Contributor III
Here's a non-mobile link to the same article 🙂
https://extremeportal.force.com/ExtrArticleDetail?n=000014936

Ondrej_Lepa
Extreme Employee
Hello Matt, Can you make sure you import the whole chain? See this article on GTAC Knowledge Base < https://gtacknowledge.extremenetworks.com/pkb_mobile#article/l:en_US/kA134000000GxFJCA0/s > Regards, Ondrej
GTM-P2G8KFN