I had to post this since the PTPs now require users to generate their own key/certificate, rather than the device doing it for you. The manual offers almost no help in this regard, so here’s the process (feel free to modify) with free program OpenSSL. Please post that you’ve used this and maybe Cambium might add some official help to the manual. Configuration is a “recipe”; unless the ingredients change, it should never change! That’s what a manual is for. So we don’t have to hunt around for hours and hours.
These instructions based on code version 03-30 (25Jan2021).
Cambium requirements: “Upload the RSA Private Key and Public Certificate for the HTTPS interface using 2048-bit key size and SHA256. The certificate subject must be the ODU’s IP Address, for example 169.254.1.1. Input must be in Distinguished Encoding Rules (DER) format.”
DO THIS STEP BEFORE YOU CHANGE PASSWORDS or ENABLE SNMPV3.
And this is the only spot you can disable HTTP. If you try via the “Web-Based Management Page” it will also disable HTTPS.
Steps:
-
Both radios must have the AES128 (or 256) license key applied in the radio to be able to do this. You can confirm by:
a. Clicking on “Installation”, then “Continue to Installation Wizard”.
b. The first page is where the license key is applied and at the bottom is a “Capability Summary”. It should say “License Encryption AES 128-bit”. -
Install OpenSSL for windows (if applicable) – the “Light” version and 64-bit or 32-bit as appropriate to your system (usually 64-bit these days) – should say something like “Win64 OpenSSL v1.1.1j Light”: https://slproweb.com/products/Win32OpenSSL.html
Note - common OpenSSL commands:
https://www.sslshopper.com/article-most-common-openssl-commands.html -
Open program “Win64 OpenSSL Command Prompt”.
-
Execute the following commands in the command prompt; Replace IP address with the below commands with the radio IP you are using. Be sure to use “.” (dots) to ensure all fields but the IP address are BLANK. The IP address is entered into the “Common Name” field. Pre-generate the certificate and keys for BOTH radios before continuing on from this step.
You will also need a password for the key generation; just make sure you write it down since you need to enter it multiple times. You will not need this password when managing the radios.
<You can try to increase the certificate expiry; “-days 3650” gives us 10 years but would probably preferable to increase. e.g. 30 years or “-days 10950”. This is untested.>
Also note: OpenSSL outputs PEM by default, so you must specify DER to output. You can validate your certificate file by opening it with notepad. If it’s gobbledygook it’s DER encoded. If it starts with “
-----BEGIN CERTIFICATE-----
” then it’s Base64 encoded (PEM). OpenSSL also requires a PEM key to generate a certificate (DER or PEM) so we still need the PEM key. That’s why the three OpenSSL steps:
Copy/paste commands:
openssl genrsa -aes128 -out cambium-192.168.1.20-key.pem 2048
openssl rsa -inform PEM -in cambium-192.168.1.20-key.pem -outform DER -out cambium-192.168.1.20-key.der
openssl req -x509 -sha256 -days 3650 -nodes -outform der -key cambium-192.168.1.20-key.pem -out cambium-192.168.1.20-crt.der
Example Output:
C:\Users\<user>\Downloads>openssl genrsa -aes128 -out cambium-192.168.1.20-key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
....................+++++
e is 65537 (0x010001)
Enter pass phrase for cambium-192.168.1.20-key.pem:
Verifying - Enter pass phrase for cambium-192.168.1.20-key.pem:
C:\Users\<user>\Downloads>openssl rsa -inform PEM -in cambium-192.168.1.20-key.pem -outform DER -out cambium-192.168.1.20-key.der
Enter pass phrase for cambium-192.168.1.20-key.pem:
writing RSA key
C:\Users\<user>\Downloads>openssl req -x509 -sha256 -days 3650 -nodes -outform der -key cambium-192.168.1.20-key.pem -out cambium-192.168.1.20-crt.der
Enter pass phrase for cambium-192.168.1.20-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:192.168.1.20
Email Address []:.
-
Start on REMOTE radio first. Be aware that you’re on a timer and the system could log you out. You should be ready to move quickly at this point.
-
Click “Security” then “Continue to Security Wizard” button
Note: The capability to disable HTTP and enable both the wireless encryption and HTTPS is via the “Security Configuration Wizard”. You can enable wireless encryption in the “System->Configuration” (“System Configuration”) page but they make you do it here and overwrite the System Configuration page. It just means you end up doing it twice (more reboots and more risk).
-
Click the “Generate Random Key” button for sections “Enter Key of Keys” and “Enter Random Number Entropy Input”.
Note: The “Enter Key of Keys” will wreck your SNMPv3 configuration meaning you have to do it twice. That’s why we do this part first. -
Security banner:
- Unauthorized Use Prohibited. -
Enable “display login information”
-
Enter HTTPS Configuration – select the cert and key you generated (.der files). If it’s not in DER format you’ll get a “Invalid TLS public certificate file” error.
-
Enter the wireless encryption setting as “TLS PSK 128-bit” (if it doesn’t show this option, then the AES-128 licensed was either not purchased or not applied or both).
-
Have it generate a key and COPY IT. This key must match on BOTH radios (both ODUs or outdoor units).
If it does not then you’ll lose access to the remote. Do the far side configuration first and the near side. Be aware that you’re on a timer and the system could log you out. So that’s why we pre-generate both radio’s certificates first.
-
On the “Enter HTTP and Telnet Settings” set “HTTP Access Enabled” to “NO”.
Note: We’ll leave telnet enabled in case we need to telnet locally from the router or because we’re locked out of HTTPS.
-
On the page asking you to REBOOT, pause and start this process again with the near side radio then pause at the REBOOT page.
-
Setup a ping to the far radio to confirm it all comes back up.
-
Reboot the far side radio.