Patrick,
Don't use a wildcard certificate for your controller UI; specially not if you are using it to redirect or do captive portal authentication. The issue is that the controller will listen (intercept) for authentication on the Common Name (CN) of the installed certificate, which will be *.yourdomain.com, and you cannot point clients to there.
Make sure that the certificate installed on the controller has a non-wildcard common-name.
Then, I would go indeed for generating the key pair and CSR on a (Linux) system with OpenSSL so you have access to the private key. If you use the controller to generate key and CSR you won't have access to the key and cannot install it on multiple controllers easily.
To import the cert and the key, you will need to import it as a PKCS#12, which includes both key and certificate. If you already have OpenSSL, you can use that to create a PKCS#12 file with private key, public key an intermediate and root CA cert:
openssl pkcs12 -export -out ${CN}.p12 -inkey ${CN}.key -in ${CN}.crt -certfile intermediate.server.ca.pem -certfile root-ca.pem
There either replace the ${CN} with the filename (without extension); or use the command: export CN=login.mydomain.com; and then run the command if the .key and .crt are named like that.
You will be asked for a password during this export, and it should match the password you enter in the WebUI during import.
Summarized:
- Don't use a wildcard for the controller WebUI
- If you externally generate your certificate, import cert+key in PKCS#12 format.
Hope this helps.