B

12 Messages

 • 

194 Points

Sun, Jul 18, 2021 5:33 PM

Problem importing custom certificate (EC signature format)

I strongly suspect that Ruckus can't handle private keys in EC format (unlike RSA). My problem is as follows:

I am attempting to install a new custom certificate from Let's Encrypt created by the acme plug-in on pfsense. The certificate create process executes without a hitch and I have valid files: <fqdn>.{crt, key, fullchain, ca, all.pem}. The certificate is using  EC which LE is now generating in production and most of my servers can use them without issues.

However, when I try to import the crt and key using the Unleashed interface, the error that is returned states that the private key does not match the certificate : "The imported private key still does not match your imported certificate. The imported certificate and private key will be discarded. Please import certificate file again."

I have also imported the <fqdn>.ca file as additional trusted CAs in the Advanced tab.

The key file has the following format:

-----BEGIN EC PARAMETERS-----
B<altered data>==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIG<altered data>=
-----END EC PRIVATE KEY-----

The key file passes an openssl check as follows (altered data):

openssl ec -in  <fqdn>.key -check        
read EC key
EC Key valid.
writing EC key
-----BEGIN EC PRIVATE KEY-----
M<ALTERED DATA>=
-----END EC PRIVATE KEY-----

The cert (<fqdn>.crt) passes an openssl check with the 'Signature Algorithm: ecdsa-with-SHA384'

As an aside, I have tried both manually importing the certificates through the Unleashed GUI as well as the cool script referenced here (pfsense -> acme -> unleashed): https://github.com/ms264556/Hackery/blob/master/pages/PfSenseLetsEncryptToRuckus.md

Responses

Official Rep

 • 

1.1K Messages

 • 

15.8K Points

15 d ago

Hi Bhusan,

Try below article and follow as it is on Unleashed.

KBA is indented for ZD product but process is similar on Unleashed.

https://support.ruckuswireless.com/articles/000001561

If you are still having issues, try to convert your cert chain to .cer with base-64 encoding and then upload the chain with key.

Important Announcement