Security

I have 3 controllers (1 Master and 2 Locals). Do I need to have a different certificate for each controller for Captive Portal or do I need just one?

You need one for each

Thanks for the response. Do I need to have the CSR for the controller name or the SSID (Guest)?

Controller

If you do the CSR on server where you can export the private key (IIS or
openssl, you could use the same cert on all 3. You could do something
generic like wireless. domain.com

---

@jcameron wrote:

I have 3 controllers (1 Master and 2 Locals). Do I need to have a different certificate for each controller for Captive Portal or do I need just one?

---

You have a choice:

 

1.  One Certificate for each Controller, each with its own Subject as its FQDN or

2.  A Single Certificate, that can be installed on all of your controllers, but FQDNs for your controllers  entered in the SAN or Subject Alternate Name field on the CSR form at your Certificate Authority:  http://en.wikipedia.org/wiki/SubjectAltName

 

Please know that

 

- the CSR form for the controller does not have a Subject Alternate name field, so you cannot generate it there for option (2).  You would need to generate the CSR using the Certificate Authority's form...

- If you Generate a CSR from a controller, it will stay in there, so you cannot generate another unless you import a corresponding certificate

- Certificate Authorities charge more for additional subject alternate names, but not as much as an entire certificate, but shop around.

 

 

Thanks, Colin. I created certs with the FQDN of each controller as the Common Name. Is this right?

Correct.

 

I got the certs they are in p7b format. When I upload them onto the controller then go Management -> General and try to change the cert for Captive Portal it does not show up.

Did you upload it as a "server cert"?

 

Also, make sure the root CA that signed the cert is uploaded as a "Trusted CA".

I only got one cert file. When I view the file I see 3 certs inside. Do I need to export each cert from the file?

I am used to a server where it took the file as it is.

I believe when uploading to the controller, you will need separate files for the server cert and root CA. You should be able to open the file as plain text and split them into different files.

 

Then upload the Root CA first, then the server cert.

 

 

Did you do the CSR on the controller or another server?

When I open as a text file, it only shows the type cert in the path .

 

I made the CSR on the controller.