CnMaestro on-premises guest access certificate


I need to remove the browser warning,SSL untrusted, when Wireless clients land on the splash page for the login .
I want to buy a certificate, however when generating the CSR from the cnmaestro page I do not know what to put in the CN because the URL is like MAcaddress/…

some certification authority do not want local IP address in the CN


Maybe it is stupid but force http to splash page :slight_smile:

This is probably a silly question, but do you have a fully-qualified domain name for your on-premises instance?

1 Like

No, how do you configure that in CnMaestro?

I don’t believe you need to configure it in cnMaestro (@Jordan, please correct me if I’m wrong).

I think you just need to register a name for the server in DNS that resolves to, then you can generate a CSR for that name.

From what I understand @Simon_King that is correct. Configure your DNS server (separate from cnMaestro) to resolve a domain name to your On-Premises IP, which should be static.

I’m not sure if there are any issues when buying a certificate for a domain name in your local DNS server.

There’s no reason they should care whether it’s a local DNS server or the public DNS, but they will require you to prove that you own the domain. This is often done by creating a special entry in the public DNS.

1 Like

4 posts were split to a new topic: How to fix certificate errors in cnMaestro Cloud with third-party guest access portals


On the end we found a specific setting in the CnMaestro on premises that fit for purpose. Is the “Guest Portal Hostname/IP” . Before was set with the local cnmaestro IP address and that’s why you get the URL

If you put an hostname still will not work as browser throws error :ERR_NAME_NOT_RESOLVED. We set up DNS service on a local Windows Server Machine to resolve the cnmaestro1234 in an IP. Configured the AP to use the internal DNS. Finally the guest portal page is https://cnmaestro1234/
and we are going to buy a certificate for that CN=hostname1234


1 Like

Ah, OK, I’m glad you found that setting.

I would be surprised if you could buy a certificate with a bare hostname though - I think you’ll need a fully-qualified domain name.

Indeed. We had to put (and similar) otherwise the CSR request was rejected by the SSL issuer.

I assume this is just an example, and you actually used a proper domain that you own, right? The certificate issuer is going to require you to prove that you own the domain before they give you the certificate.