Network Management

Hello,

I'm trying to install a new server cert for Airwave (we've been using the default up to now), the new cert is signed by Sectigo.

I used the AW CLI to generate a CSR. That has been signed by Sectigo and I have a number of download options for the certificate. I have tried the PEM format without any chain, with the chain, and with "issuer after" (these are the options I am given by Sectigo). There are also PKCS options which I have not tried.

I tried all the PEM options - converting the download to a .crt file using openssl:

openssl x509 -inform PEM -in airwave_csi_private_cam_ac_uk.cer -outform PEM -out airwave_csi_private_cam_ac_uk.crt

I then uploaded the crt to the user dir on AW using SFTP.

Then from the menu I choose:

3 Install Signed Certificate

And select the new cert, but I always get:

Invalid certificate chain.

Invalid certificate format.

I'm no certificate expert, is there something I'm doing wrong here?

I'm also not sure what the distinction is between the different ways of adding a cert - there are 2 options on the CLI, Add SSL certificate or install a signed cert. Then on the GUI there is a cert upload option under Device Setup.

Thanks,

Guy




------------------------------
Guy Goodrick
------------------------------

Please open a TAC case to check the certificate and possible cause of the issue. PEM certificate with chain should be working fine.
w.r.t server certificate, CLI is the option to add SSL cert. The UI option is for Device certificate to authenticate IAP/Switches using the cert. It is not for server certificate.

------------------------------
Gowri Sankar Amujuri
------------------------------

Original Message:
Sent: Jul 13, 2021 10:51 AM
From: Guy Goodrick
Subject: Installing new Airwave server cert

Hello,

I'm trying to install a new server cert for Airwave (we've been using the default up to now), the new cert is signed by Sectigo.

I used the AW CLI to generate a CSR. That has been signed by Sectigo and I have a number of download options for the certificate. I have tried the PEM format without any chain, with the chain, and with "issuer after" (these are the options I am given by Sectigo). There are also PKCS options which I have not tried.

I tried all the PEM options - converting the download to a .crt file using openssl:

openssl x509 -inform PEM -in airwave_csi_private_cam_ac_uk.cer -outform PEM -out airwave_csi_private_cam_ac_uk.crt

I then uploaded the crt to the user dir on AW using SFTP.

Then from the menu I choose:

3 Install Signed Certificate

And select the new cert, but I always get:

Invalid certificate chain.

Invalid certificate format.

I'm no certificate expert, is there something I'm doing wrong here?

I'm also not sure what the distinction is between the different ways of adding a cert - there are 2 options on the CLI, Add SSL certificate or install a signed cert. Then on the GUI there is a cert upload option under Device Setup.

Thanks,

Guy




------------------------------
Guy Goodrick
------------------------------

Try to create a PCKCS12 with this openssl command;

• openssl pkcs12 -export -out controller.marcelkoedijk.nl.pfx -inkey controller.marcelkoedijk.nl.key -in controller.marcelkoedijk.nl.txt

Be sure your certificate, intermediate and root-ca are in the right order in de txt file.

1. Certificate
2. Intermediate
3. Root-CA

See a example for sectigo certifcates in the attachment (could be a little different depends on the used intermediate and root, this can be different for some types of sectigo certificates.

Hope this helps

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: Jul 13, 2021 11:24 AM
From: Gowri Sankar Amujuri
Subject: Installing new Airwave server cert

Please open a TAC case to check the certificate and possible cause of the issue. PEM certificate with chain should be working fine.
w.r.t server certificate, CLI is the option to add SSL cert. The UI option is for Device certificate to authenticate IAP/Switches using the cert. It is not for server certificate.

------------------------------
Gowri Sankar Amujuri

Original Message:
Sent: Jul 13, 2021 10:51 AM
From: Guy Goodrick
Subject: Installing new Airwave server cert

Hello,

I'm trying to install a new server cert for Airwave (we've been using the default up to now), the new cert is signed by Sectigo.

I used the AW CLI to generate a CSR. That has been signed by Sectigo and I have a number of download options for the certificate. I have tried the PEM format without any chain, with the chain, and with "issuer after" (these are the options I am given by Sectigo). There are also PKCS options which I have not tried.

I tried all the PEM options - converting the download to a .crt file using openssl:

openssl x509 -inform PEM -in airwave_csi_private_cam_ac_uk.cer -outform PEM -out airwave_csi_private_cam_ac_uk.crt

I then uploaded the crt to the user dir on AW using SFTP.

Then from the menu I choose:

3 Install Signed Certificate

And select the new cert, but I always get:

Invalid certificate chain.

Invalid certificate format.

I'm no certificate expert, is there something I'm doing wrong here?

I'm also not sure what the distinction is between the different ways of adding a cert - there are 2 options on the CLI, Add SSL certificate or install a signed cert. Then on the GUI there is a cert upload option under Device Setup.

Thanks,

Guy




------------------------------
Guy Goodrick
------------------------------

Thanks Gowri,

Ok so in the end I generated the CSR and private key using openssl, once I had the signed certificate with chain I converted it to a PKCS#12 .p12 file, and successfully transferred this to Airwave and installed using the method you describe (add SSL certificate, not install signed certificate). Thanks for your help.

Now I'm having fun with installing new server certs on AOS controllers, but I'll post a plea for help in the proper place!

Thanks again.

------------------------------
Guy Goodrick
------------------------------

Original Message:
Sent: Jul 13, 2021 11:24 AM
From: Gowri Sankar Amujuri
Subject: Installing new Airwave server cert

Please open a TAC case to check the certificate and possible cause of the issue. PEM certificate with chain should be working fine.
w.r.t server certificate, CLI is the option to add SSL cert. The UI option is for Device certificate to authenticate IAP/Switches using the cert. It is not for server certificate.

------------------------------
Gowri Sankar Amujuri

Original Message:
Sent: Jul 13, 2021 10:51 AM
From: Guy Goodrick
Subject: Installing new Airwave server cert

Hello,

I'm trying to install a new server cert for Airwave (we've been using the default up to now), the new cert is signed by Sectigo.

I used the AW CLI to generate a CSR. That has been signed by Sectigo and I have a number of download options for the certificate. I have tried the PEM format without any chain, with the chain, and with "issuer after" (these are the options I am given by Sectigo). There are also PKCS options which I have not tried.

I tried all the PEM options - converting the download to a .crt file using openssl:

openssl x509 -inform PEM -in airwave_csi_private_cam_ac_uk.cer -outform PEM -out airwave_csi_private_cam_ac_uk.crt

I then uploaded the crt to the user dir on AW using SFTP.

Then from the menu I choose:

3 Install Signed Certificate

And select the new cert, but I always get:

Invalid certificate chain.

Invalid certificate format.

I'm no certificate expert, is there something I'm doing wrong here?

I'm also not sure what the distinction is between the different ways of adding a cert - there are 2 options on the CLI, Add SSL certificate or install a signed cert. Then on the GUI there is a cert upload option under Device Setup.

Thanks,

Guy




------------------------------
Guy Goodrick
------------------------------