B

15 Messages

 • 

238 Points

Sun, Jul 18, 2021 5:33 PM

Problem importing custom certificate (EC signature format)

I strongly suspect that Ruckus can't handle private keys in EC format (unlike RSA). My problem is as follows:

I am attempting to install a new custom certificate from Let's Encrypt created by the acme plug-in on pfsense. The certificate create process executes without a hitch and I have valid files: <fqdn>.{crt, key, fullchain, ca, all.pem}. The certificate is using  EC which LE is now generating in production and most of my servers can use them without issues.

However, when I try to import the crt and key using the Unleashed interface, the error that is returned states that the private key does not match the certificate : "The imported private key still does not match your imported certificate. The imported certificate and private key will be discarded. Please import certificate file again."

I have also imported the <fqdn>.ca file as additional trusted CAs in the Advanced tab.

The key file has the following format:

-----BEGIN EC PARAMETERS-----
B<altered data>==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIG<altered data>=
-----END EC PRIVATE KEY-----

The key file passes an openssl check as follows (altered data):

openssl ec -in  <fqdn>.key -check        
read EC key
EC Key valid.
writing EC key
-----BEGIN EC PRIVATE KEY-----
M<ALTERED DATA>=
-----END EC PRIVATE KEY-----

The cert (<fqdn>.crt) passes an openssl check with the 'Signature Algorithm: ecdsa-with-SHA384'

As an aside, I have tried both manually importing the certificates through the Unleashed GUI as well as the cool script referenced here (pfsense -> acme -> unleashed): https://github.com/ms264556/Hackery/blob/master/pages/PfSenseLetsEncryptToRuckus.md

Official Rep

 • 

1.2K Messages

 • 

17K Points

3 m ago

Hi Bhusan,

Try below article and follow as it is on Unleashed.

KBA is indented for ZD product but process is similar on Unleashed.

https://support.ruckuswireless.com/articles/000001561

If you are still having issues, try to convert your cert chain to .cer with base-64 encoding and then upload the chain with key.

15 Messages

 • 

238 Points

@syamantak_omer 

Don't have the correct level of support account to see that KB article. Hence my post...

Official Rep

 • 

1.2K Messages

 • 

17K Points

@bhusan_gupta 

To accomplish the Wild-Card Installation on Zone-Director

1. Make sure you have certificate(s) in ".cer" format with "base-64" encoding and also make sure that you have complete chain of certificates (Wildcard >> intermediate >> root) along with private key in ".key" format.

Note: If you have certificate in ".pfx" format, please use OpenSSL or any other third party application to extract the certificate and key from ".pfx" to ".cer" and ".key" formats.

2. Once you have all above contains ready, Import the wildcard cert into the ZD.

For 9.x firmwares: go to ZD Web GUI >> Configure >> Certificate >> Import Signed Certificate
For 10.1.x firmwares: go to ZD Web GUI >> Administer >> Certificate >> Import Signed Certificate

3. The ZD will prompt for the private key as the ZD will sense that the certs private key and the private key the  ZD has are different. 
 
4. Once the private key is imported the ZD will prompt for the cert again as it will sense that the cert it has and the private key it has doesn't match 
 
5. Once import the cert again, this time the cert's private key and the private key which the ZD has are same so ZD imports the cert, but figures out that the cert is wildcard so prompts for the hostname.

6. Choose the hostname and make sure you create an entry on your DNS for ZD's IP address with new FQDN created for ZD.
 
7. Now continue installing intermediate and then root certificate.

8. Once chain is completed, select restart ZD, ZD will come up this time with certificate installed on it.
 
At this point the ZD will use that cert for all further SSL connections and the web auth and guest pass redirects will use the FQDN in the URL.

Regards,

Syamantak Omer

Official Rep | Staff TSE | CWNA | CCNA | RASZA | RICXI

Follow me on Linkedin

15 Messages

 • 

238 Points

@syamantak_omer 

Thanks for the instructions. I have followed the steps above but still have the same issue (not able to import). My certificates are in Base-64 format (I pasted snippets of them in my original message). While the file extension is .crt for the certificate, the contents are the same as a Base-64 cer file. I have tried to import the cert (not wildcard but FQDN) and then the key only to have the process halt between step 3 & 4. The difference is that I am using a EC (elliptic curve) key system and not a RSA. I can run the following command on the crt and openssl returns the correct information:

openssl x509 -in <fqdn>.crt -text -noout

Official Rep

 • 

1.2K Messages

 • 

17K Points

ECDSA key and certificate is supported on our SmartZone platform with 5.2.2 version and above.

What is the Unleashed firmware on your setup?

I am not sure if we support it on Unleashed, could you try to upgrade latest (200.10) and see if that works?

Regards,

Syamantak Omer

Official Rep | Staff TSE | CWNA | CCNA | RASZA | RICXI

Follow me on Linkedin

15 Messages

 • 

238 Points

@syamantak_omer 

I should have mentioned that I am running Unleashed 200.10.10.5.229 on my R750(s). So I suspect that Unleashed might be lagging a bit from SZ in terms of certificate support?

Important Announcement