Reset Search
 

 

Article

How to apply wildcard certificates to Extreme Cloud Appliance (XCA)

« Go Back

Information

 
TitleHow to apply wildcard certificates to Extreme Cloud Appliance (XCA)
Objective
To be able to install wildcard certificates on the Extreme Cloud Appliance using firmware versions 04.36.03.0006 and newer.
Environment
Extreme Cloud Appliance
Procedure
1. Login to Extreme Cloud Appliance GUI using an account that has full administrative (read-write) privileges. 
2. Go to Administration > System > Interfaces 
3. Select the interface for which the certificate should be installed. In this example the certificate is for the controller‟s physical interface that has management enabled (“interface physical 1”) and select "Certificates" (highlighted in red below):

User-added image
  • If the certificate and key are already in a single file, select “Replace/Install selected Topology‟s certificate and key from a single file”. Otherwise select “Replace/Install selected Topology‟s certificate and key from separate files”:
User-added image
  • To upload a CA certificate chain file provided by the certificate vendor, ( example: gd_bundle.crt) to the appliance, use the “Browse” button and the standard “File” dialog box will show up.  Note that you also are able to upload the CA certificate chain when the server certificate and private key are in the same file.
  • When all the certificate and key related fields are filled in click the “Save” button at the bottom of the form. It may take a while to process the submission because several files have to be uploaded to the appliance.
  • If the server certificate is used to secure one of the controller‟s internal captive portals, one more step is required to ensure that end users do not experience certificate warnings. The server portion of a URL must match either the Subject Alternative Name or Common Name fields in the certificate securing the web site. This rule applies to the URL that the controller sends to users‟ browsers to redirect them to its captive portal. You configure that redirection URL in the settings for the networks for which you use this topology:
User-added image
  • If you want or need to use the FQDN for your certificate in your configuration, you must populate the "FQDN" field for the interface/topology that you have applied your cert to and that you're using for the network in question and it must match the Common Name or Subject Alternative Name in the certificate that secures the captive portal‟s interface. If the certificate is a wildcard certificate, the name entered in the “FQDN” field must be one that matches the pattern in the Common Name field. It must not be the actual wildcard common name (example:  *.mydomainname.com). The Common Name in the certificate securing the website could be either...
    • *.mydomainname.com (wildcard)
    • portal.mydomainname.com (non-wildcard).
User-added image

When building out the subsequent network that will use the cert and FQDN you have defined above, you will enable "Use FQDN for connection" in your network configuration:

User-added image
Additional notes
NOTE: When downloading certificate from your CA, choose "Apache" certificate type

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255