How do I get the ZoneDirector CA certificate ?

  • 2
  • Question
  • Updated 5 months ago
  • Answered
  • (Edited)
Hello, when connecting to ZoneDirector via web browser, I get the 'untrusted site' error. How do I download the ZoneDirector root CA certificate so I can install in my 'trusted root cert' folder to prevent these warnings ?
I don't need to purchase a commercial cert just for admin access to ZoneDirector.
Photo of philip francis

philip francis

  • 3 Posts
  • 0 Reply Likes

Posted 5 months ago

  • 2
Photo of Michael Brado

Michael Brado, Official Rep

  • 1889 Posts
  • 269 Reply Likes
Hello Philip,

    Because Ruckus is not an official Certificate Authority (CA), our ZD root cert is therefore
"untrusted" in that you will receive an SSL warning when you open a browser interface.  You
would need to purchase a 3rd party CA certificate and install it on the ZoneDirector to avoid
these warning prompts.  Most customers, simply agree to create an exception, and continue.

    You don't need a support contract to view our Product documentation.  Here is a link to ZD
9.13 User Guide, where 'Working with SSL Certificates' begins on page 447.
https://support.ruckuswireless.com/documents/1106-zonedirector-9-13-ga-user-guide

Working with SSL Certificates
SSL certificates enable device or user identification, as well as secure communications.
ZoneDirector captive portal services and the web UI use an SSL certificate
when establishing HTTPS connections.
The default SSL certificate that is installed on the ZoneDirector is self-signed and
therefore not trusted by any web browser. This is the reason why the SSL security
warnings appear when establishing an HTTPS connection to the ZoneDirector.
To eliminate the security warnings, administrators may purchase a trusted SSL
certificate from a public Certificate Authority (CA) such as VeriSign and install it on
the ZoneDirector.

Basic Certificate Installation
The certificate installation process is as follows:
• Generate a Certificate Signing Request (CSR) with the required requester
information.
• Submit the CSR to a public CA for signing.
• Receive a signed certificate from the CA.
• Import the signed certificate into ZoneDirector.

Generating a Certificate Signing Request
If you do not have an existing SSL certificate, you will need to create a certificate
signing request (CSR) file and send it to a certificate authority (CA) to purchase an
SSL certificate. The ZoneDirector web interface provides a form that you can use
to create the CSR file. Fields with an asterisk (*) are required entries. Those without
an asterisk are optional.

The Configure > Certificate form allows you to perform the following actions:
• Generate a certificate signing request.
• Import a signed certificate.
• View the currently installed certificate.
• Advanced Options link displays additional options
• Restore the default private key and certificate.
• Backup private key and certificate.
• Generate a new private key.

To create a certificate request file (CSR):
1 Go to Configure > Certificate.
2 In the Generate a Request section, complete the following options:
• Common Name*: Enter ZoneDirector’s Fully Qualified Domain Name (FQDN).
Typically, this will be “zonedirector.[your company].com”. You can
also enter ZoneDirector’s IP address (e.g., “192.168.0.2”), or a familiar
name by which the ZoneDirector will be accessed in your browser (e.g., by
device name such as “ZoneDirector”).

NOTE: Ruckus Wireless recommends using the FQDN as the Common Name if
possible. If your network does not have a DNS server, you may use ZoneDirector’s
IP address instead. However, note that some CA’s may not allow this.
Photo of philip francis

philip francis

  • 3 Posts
  • 0 Reply Likes
Hello Michael. Thank you. I realise the reason is because the ZD root cert is untrusted. 
What I am asking is why can you not provide the ZD root cert to users so we can install in our 'trusted root folders'. Then our browsers will trust the ZD cert inherently without having to agree to 'make an exception' when the browser prompts about  the untrusted cert.