Can I load a SSL certificate on he E400

Is there a way to load a SSL/HTTPS certificate on the E400 to replace the internal self-signed one?

I'm wanting to avoid the browser warnings that occur when managing the AP via HTTPS.


Looks like you can import a certificate in pem format from the command line. 

import certificate

import intermediate-certificate


it is not been supported for cnPilot APs. At present this feature is supported for cnMaestro. 


this feature "import certificate and import immediate-certificate" is for guest access service when guest access service is running on ap.


I have loaded the Certificate of our Company in our cnMaestro-on Premises server succesfully.

Is there a way to push that certificate from cnMaestro to all the onboarded APs? 

Thanks in advance,

You want to do this for device management or to provide guest portal service? OR there is some other reason behind this request?


We want it to provide Guest Portal Service.


No need to load trusted certificates on all APs for this purpose. You can make the guest clients login via cnMaestro which already has a trust cert in your case.


Trust me, we do need to load truted certificates in the AP.

We are using an external captive portal with External RADIUS, not the Cambium Guest Portal.

We have everything configured and working, but we have the problem of the SSL certificates when the redirect is performed.

We can avoid the SSL warning selecting "Redirect Mode = HTTP", but we do not like HTTP for this an prefer HTTPS.  We are succesfully doing this with other vendors, loading the SSL certificates to the APs. That's why I am asking for your support. We need to load the certificates to the APs and we have been told by that there is a way to do it from the cnMaestro, but I do not find related documentation.

Looking forward your comments.

I was referring to external guest portal when I said there is no need to load trusted certificate on each AP. Contact Support to find details on the setup needed to achieve this.

Dear Ksannedhi,

¿This is not support, then?

I do not need help for configuring an External Guest Portal, it is already configured and working apart from the issue that I need a certificate in the AP for the HTTPS URL Redirection.

However, the matter is not that if I need a certificate or not, the question is simple: is there a way to upload a certificate to an AP, using the cnMaestro, the CLI, FTP, SFTP,....? Yes or not?

Since you are already done with loading certificate on the cnMaestro, there is no need to do the same thing on APs. To make it work in this fashion, you need to change the external portal coding to make the user credentials get posted to the cnMaestro NOT to the APs. Hope this helps.

Moreover you need following two changes on the cnMaestro side:

i. Under the SSID settings, enable the "External Portal Post Through cnMaestro" setting.

ii. Guest Access Portal under the "Services" to use the same hostname used for the Common Name in the certificate.

Give it a try.

If it doesn't work, call Support as it might need settings verification by taking remote access to your setup.

Hi Netting_Tech, 

                 The solution for this issue is available in the on-premise version of cnMaestro. Unfortunately, solution for this is not availalbe in the cloud version of cnMaestro. 

                  Loading certificates on all AP's is a tedious process, so we have provided an option to load the certificate on cnMaestro. When client is accessing the internet, AP will intercept this packet and redirect (302) the client to get the webpage from external Captive Portal server. This redirect message from AP will contain the domain name of cnMaestro to post the credentials the cnMaestro to authenticate the client. 

                Two things which is important to note in this are, If the AP is already on-boarded to the cnMaestro and then this configuarion change is done on the cnMaestro, then AP needs to be disconnected and reconnected back to reflect this configuration. 

                Another important point is, DNS forward zone of the client DNS server should be updated with the entry to point to the cnMaestro hostname. This will ensure that when the client tries to contact the redirected URL ( which AP provides to contact cnMaestro) URL resolution will succeed.




Hi Anand,

Thanks for your reply.

Actually, we are using the on-premises version of cnMaestro as many functionalities that we needed for our external Captive portal were not supported in the Cloud version (such as the RADIUS proxy, for instance).

The APs were onboarded to the controller before the certificates were uploaded to the cnMaestro. You suggest then to delete from the controler and adopt it back?


Hi Netting_Tech, 

           Its better to reboot the cnMaestro than deleting and then re-onboarding if the number of AP's are higher.