Reset Search
 

 

Article

How to prepare .tar archive in order to import trustpoint digital certificate to WiNG devices?

« Go Back

Information

 
TitleHow to prepare .tar archive in order to import trustpoint digital certificate to WiNG devices?
Objective
In order to have a package which is easy to import to any WiNG device, please follow this process and create .tar with necessary files
Environment
  • All Summit WM3000 Series Controllers
  • ExtremeWiNG Controllers
  • WirelessWiNG Controllers
  • ExtremeWiNG Access Points
  • WirelessWiNG Acess Points
  • WiNG 5 Software
  • CSR based certificate with valid private key
  • PKI
Procedure

First of all, create CSR for a WiNG device

In GUI navigate to Operations -> Certificates -> pick a device from System tree (preferrably adopting controller) -> Create CSR

User-added image

You can either use existing RSA key, or create a new one. Also, you may fill required CSR details or keep this auto-generated. 
Click Generate CSR in right bottom corner

Once the CSR is generated, you'll see following export. Copy ALL visible text

User-added image

The same can be done using CLI, generating new RSA key and adding as much details as possible:
 
VX# crypto pki export request generate-rsa-key <New RSA key name> subject-name <Subject Name> <Country> <State> <City> 
<Organization> <Organization Unit> ip-addres <IP> fqdn <FQDN> tftp://user:pass@<IP>/trustpoint.csr

Or using already present RSA key and adding auto-generated details:
VX# crypto pki export request use-rsa-key <Old RSA key name> autogen-subject-name tftp://user:pass@<IP>/trustpoint.csr

Once this is done, contact you digital certificate provider in order to process the request.
Output should be proper digital certificate following x509 norms.
 

Second, export (generated) RSA key and convert it into nokey output

In GUI navigate to Operations -> Certificates -> pick same device as above -> RSA keys
Select the RSA used for your CSR and click Export in right bottom corner.
System will ask for a key name and passphrase which will be used to encrypt the key.
Chose any (remmember it) and export the .prv to your T/FTP server

User-added image

The same can be done from CLI
 
VX# crypto key export rsa <RSA key name> tftp://user:pass@<IP>/trustpoint.prv passphrase <passphrase>

Once this is exported, you'll need openSSL binaries to convert into nokey option
 
C:\OpenSSL-Win32\bin> openssl.exe rsa –in C:\trustpoint.prv -out C:\trustpoint-nokey.prv
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter pass phrase for C:\Users\Viacheslav\Desktop\onboardradius.prv: <passphrase>
writing RSA key

The output will look similar to .csr
 

Third step is to prepare signed certificate and ROOT certificate

Once your certificate provider shares signed certificate, make sure all nodes from PKI chain of trust (Intermediate CA, Root CA) are included
It should look similar to below image

User-added image

Export every single certificate chain node as shown in picture below

User-added image

Prepare certifictes the same way as mentioned in article How to import digital certificate to WiNG controller.
As the export is Base64 you can freely change extensions to certificates, so you will have truspoint.crt (provided by PKI provider), trustpoint.ca (same structure as used for Import CA in mentioned article) and trustpoint-nokey.prv (rename to trustpoint.prv)

It is very important that all files will have the same name (only extension differs). Copy those to same folder and use IZarc to create .tar file with below values

User-added image

Once the .tar archive is done, follow article How to synchronize custom trustpoint across WiNG deployment? in order to distribute the file across adopted devices.
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255