Important Notice: Ruckus AP Device Certificate Refresh - Check/Update APs before Nov 27, 2016

  • 1
  • Announcement
  • Updated 5 months ago
Important Notice:  AP Device Certificate Refresh

Original Ruckus AP device certificates are due to expire on Nov 27, 2016.  Most APs manufactured
in the last two years have new AP certificates installed in addition to the original certificates, but those
which do not, will experience problems communicating with SmartZone controllers.

Latest SmartZone controller code easily identifies APs needing certificate refresh, and a simple process
to send request files to Ruckus and receive/install response files to update the AP certficates is available.

This is a preliminary warning before the original certificate expiration date, to encourage all AP customers
to review the Frequently Asked Questions, and AP Certificate Refresh Flowchart that outlines affected AP
model/serial numbers, impact on SZ, ZD, and Solo APs, and information regarding certificate refresh so
you can avoid them.

KBA-5390: FAQ - Ruckus AP Device Certificate Refresh
https://support.ruckuswireless.com/answers/000005390

KBA-6099: Ruckus AP Certificate Refresh Flowchart
https://support.ruckuswireless.com/answers/000006099
Photo of Michael Brado

Michael Brado, Official Rep

  • 2049 Posts
  • 286 Reply Likes

Posted 11 months ago

  • 1
Photo of Max O'Driscoll

Max O'Driscoll, AlphaDog

  • 325 Posts
  • 80 Reply Likes
Michael: That got my attention!

Appears it is only Smart Zone that is affected (unless you are going to publish more KBs).
The mention of ZD 9.13 is only in reference to it's ability to notify that APs require a new certificate.

So those of us (ye olde legacy types on ZD hardware controllers) seem unaffected - I am right in this or did I miss something?
Photo of Michael Brado

Michael Brado, Official Rep

  • 2048 Posts
  • 285 Reply Likes
Yes, latest ZD 9.13.x will identify APs needing new certificates, but AP/ZD communication is not affected.
However, many current ZD customers might be planning migration to SmartZone.
Similarly for Solo APs, browsers will still present a certificate warning, that you can allow/add exception to continue.
(Edited)
Photo of JSo

JSo

  • 2 Posts
  • 1 Reply Like
This certificate refresh seems to be problematic for customers, who are running VSZ-H with both new and legacy APs (eg. 7363) set to different AP zones running different firmware versions. Apparently one solution is to disable certificate check, but how does this affect security of the system?
Photo of Lex Jonkers

Lex Jonkers

  • 1 Post
  • 0 Reply Likes
According to the flowchart for ZoneDirectors there is no impact, but cert refresh is recommended in case of future migrations.

However how does one refresh when using zd1100's as 9.13 isn't available for them and the options used in the refresh procedure in the faq are not present in 9.10.1?

Is it possible or are zd1100 users out of luck since they are EOL?
And if so guess the procedure on migration would be: Disable cert check in smartzone cli, connect AP's, update cert, enable cert check again?
Photo of Dimitri Stakov

Dimitri Stakov

  • 22 Posts
  • 1 Reply Like
Hi,

Good day,

I perform the steps that Ruckus recommends but I do not update the certificates of AP R300 and T300.



When you perform the steps you recommend to replace the certificate, the same message still appears and there is no update of this certificate: "Reminder: Some of your APs need to have their Certificate replaced by November 2016. Until then those APs will continue to operate as -is with NO OPERATIONAL impact. You may go to Administration> AP Certificate Replacement and follow the Refresh Process any time before November 2016. Please visit https://support.ruckuswireless.com/certificate for details. "

Thanks