|Question||Can we store certificates on a USB flash drive for RAP provisioning?|
|Environment||This article applies to all the controller model and Remote AP. The minimum OS version running on the controller should be 18.104.22.168.|
Yes. AOS version 22.214.171.124 and above support storing RAP certificates on USB flash drives. Using this, RAP certificate is activated only when the USB containing the corresponding certificate is connected to the RAP. As soon as the USB drive is removed from the RAP, the certificate gets deactivated. If you remove the USB storage from an activated RAP, it drops the IPSec tunnel. It requires a power cycle to re-establish the tunnel irrespective of whether the USB with the certificate is again connected or not.
The certificate contains all the information that is required for creating the tunnel including the private key, RAP certificate with the chain of certificates and the trusted CA certificate. As of AOS version 126.96.36.199, there is a limit of three supported intermediate CAs and the common name (CN) for the RAP certificate must be the MAC address of the RAP in the colon format.
Note: This USB drive is purely a storage device and does not act as a 3G/4G modem.