Is there potentially a method by which we can load an HTTPS certificate on all units via batch method?
Maestro, CNUT, SSH, SNMP etc? We might try to do it via curl/wget but would be nice if there were another more straightforward method.
Thanks,
Kevin
You can use cnMaestro to push a template to all the devices in your network.
Just in case you are not familiar with creating a template, here is a good article from knowledgebase .
Following template will upload HTTPS certificates to the device. You just need to update the “certificate”, “encryptedPassword” and “encryptedPrivateKey” sections
{
"userParameters": {
"networkConfig": {
"httpsCertificates": [
{
"certificate": "-----BEGIN CERTIFICATE-----\nMIICjDCCAfUCFHmiHhpAJ5byU7SbEZm67E77UUsGMA0GCSqGSIb3DQEBCwUAMIGE\nMQswCQYDVQQGEwJVUzELMAkGA1UECAwCSUwxCzAJBgNVBAcMAlJNMRMwEQYDVQQK\nDApNeSBDb21wYW55MRQwEgYDVQQLDAtFbmdpbmVlcmluZzENMAsGA1UEAwwEdGVz\ndDEhMB8GCSqGSIb3DQEJARYSdGVzdEBteWNvbXBhbnkuY29tMB4XDTIzMDUxNjIy\nNTAyNFoXDTMzMDUxMzIyNTAyNFowgYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJJ\nTDELMAkGA1UEBwwCUk0xEzARBgNVBAoMCk15IENvbXBhbnkxFDASBgNVBAsMC0Vu\nZ2luZWVyaW5nMQ0wCwYDVQQDDAR0ZXN0MSEwHwYJKoZIhvcNAQkBFhJ0ZXN0QG15\nY29tcGFueS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOFCXR2B2My5\nU0krJNtMFDFz7gn4ABa/N/1OY1JRgkIvsAqFQ5+C81g0UHwN6cFZPMqkiqpUEroX\nVBtVvxeoekeFECgjgQ+p0g0TVEmF5JzEOUiaYsFkg5s4kMrXy+YAHi+x5vPEFStZ\nUQ+iF0KR0dyK6I//1Abg1Co1c2KQI/EbAgMBAAEwDQYJKoZIhvcNAQELBQADgYEA\nyhOAiUrtnlG7dwa5C9nG7ycFqBz99x8DfV7JBnWwcWQLi4lhKFWtuBXGOF9psdyi\nDT5vET5oDKTFNwF+VPNQoRjNVBpG2hpqQyumbeIAg/1lelx0lzlX8EGmRW5JdA7z\nbNyuMLNIRR7mW47v8v8f7v4AsSpepQZPx2EozMOfda4=\n-----END CERTIFICATE-----\n"
},
{
"encryptedPassword": "f93a979a93cdc773ba7c7f733b21a53c"
},
{
"encryptedPrivateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIC3TBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIWAZyrWISgiACAggA\nMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBD3giNIn2iJ7eHXusxs0PS1BIIC\ngPcy3jIfYs1rJTqXLtRIhsufstJgl7RxCQLrfAREW0+MQa0nv58T0fh7Ky4nxVRu\nXGV9H4LClKXNkjmBVQN7l/vLHz4IvdVjTonasvzPOVPBs6ZAOx8+/OgsQlV3PDsP\nVOyG2Yi2q6E1kfHGH09nY8mfX5R/T0sXzbvGEjBNT7O8pWrHqN+LTZhgjMrvD+DH\nvKu2azXkwh9UT8VFbAzMgeu1cu9YG+NPJCciK0jsGtOS7VvxJ9coutkoGNd2on4B\ntqREXUSbASkltUQ8QAi1arTdlcoXVCm8rWcG6nHizqRoVyCrCJzYzer1Iy5Bd1F9\njhe/FgXmGhr/3WdCUwvbeIFl3hoPF4gpG2VQ6bYqe99s1tusgQ4t4yX6DxXEDgGS\nOWgu8zEGE7B75B9nZmLChRLYUG3kX2W92mTm95FovWz/Zx/tH2sut8TygYj5IMIj\n7J7ifzNUwvpWReYalRboPSH/1J7pG6RLMiDesGQS6ALuJdVnW1c2ul6eOtlLfv2P\nMxsiOKYwZkuMQLH8LHDOU6Ewndl98Ym3dG7G4HjJoAF3MEppWWDp6PDFhmhG/xXV\nWpv43cr4z+x9ny6zB8+iVONQZvDXmYrV+5lDvIbKsab66Im0/EDAsP2MKEFov/5u\nrnNFku1kAHI9EqH0j5ZaxLtSI8z6Rz3km7/gyS10UUyR1HjI0/zmqAJDpXCpeVq1\nr+2o1KUbQThWsDg0z/j/2v0lDZPVu6CD6Ea11pA5uUx4+C3KrvlIl4F9dCUw/kan\nduS7k1tepdANHhQxkA+mKlzUV1l7ZjMEfr3hiUf987VdLReR4uKRV4yCKB0N3meJ\na1jZjG7w1Q5cNDDiP+N+AHw=\n-----END ENCRYPTED PRIVATE KEY-----\n"
}
]
}
},
"configFileParameters": {
"rebootIfRequired": true
},
"cfgFileString": "Canopy configuration file",
"cfgFileVersion": "1.0"
}
Please note that since “rebootIfRequired” field is “true”, the radio will reboot immediately after the configuration is applied.
You can save the template as a “.cfg” file and use SNMP to import the file.
The OID to import configuration file is “importConfigFile” (.1.3.6.1.4.1.161.19.3.3.3.7.0).
What format and version is the certificate in within the template?
How is the encryptionPassword generated?
Our other approach was to import our file into a radio, then use the text from that configuration file. However, we’re having trouble getting the radio to accept our wildcard certificate. When we’re importing a PKCS12 file in a radio, we’re getting an error, “Error opening file.”, even when we have created the PKCS12 file without a password.
Thanks for the assistance,
Kevin
I’m sorry for the delay in my response.
The certificate in the above example was in PKCS12 format.
The approach you’ve suggested is the way to go.
Could you please open a support ticket to help with importing the certificate.
No Apologies Necessary. We were able to get the HTTPS certificate imported after reviewing a few other helpful posts (generating-rsa-private-key-and-public-certificate-for-https
However, now that the AP has a valid HTTPS cert, it seems browsing to the SM via the AP’s proxy mechanism no longer works, while accessing the AP utilizing the valid HTTPS cert. This seems to be the behavior on 22.0.2.
When we browse to the IP of the AP, proxy to the SM is fine. I did try installing the new certificate on the SM as well but it didn’t make a difference.