I'm trying to upload our RADIUS server's cert. It's reading the cert, but never shows on the list. Is. there a key-size restriction or something? The factory certs are sha1WithRSAEncryption size 1024. I have certs that are sha512WithRSAEncryption size 2048. Should these work?
Hi,
RADIUS Server cert is actually a list of CA and not server certificate.
When a radius session is established the server certificate presented by RADIUS server has to be signed by one of CA present on he radio, only then radio think it is talking to a trusted radius server and the connection proceeds.
I tried to upload a dummy CA (created using openssl) with RSA 208 bit key and SHA-512 and import is successful.
After reboot I can see certificate parameters also.
Thanks,
Chitrang
That is not my experience. I have a PMP450 running 15.2.0.1. I go to the "Accounts" configuration. It has the default certs installed. I delete "User Authentication Certificate 1" then upload my CA's intermediate cert. After I click the "Import Certificate" button, It says "Uploaded File" and "Error opening file.". The PEM certificate is included below.
-----BEGIN CERTIFICATE----- MIIFpjCCA46gAwIBAgIUbpT2wYWC3B1DX116hZSWfKr3Vt4wDQYJKoZIhvcNAQEN BQAwVTELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEFsbCBQb2ludHMgQnJvYWRiYW5k MScwJQYDVQQDEx5BbGwgUG9pbnRzIEJyb2FkYmFuZCBSb290IENBIDEwHhcNMTYw ODA1MTQyMzAwWhcNMzYwODA1MTAyMzAwWjBdMQswCQYDVQQGEwJVUzEdMBsGA1UE ChMUQWxsIFBvaW50cyBCcm9hZGJhbmQxLzAtBgNVBAMTJkFsbCBQb2ludHMgQnJv YWRiYW5kIEludGVybWVkaWF0ZSBDQSAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A MIICCgKCAgEAxP3x3PKXSxNreGubknIn1pijd1AG4M2ynKeDEBiafYuljU5HYApv NcQC+sOS3jHBzmMkT0jUV1h2PcRuR8ImfgHTSM/hh08qvxzYRK1GPzwsBQP7S6+s N1jzK1+t78OTHAP8D2+KAshmhoseBAnibpQjUYR4dgVHQ3x+CcdYDiLXIqkyqGp0 eK0mkUdxkXdi4TmyKciSQwQ9d3xWeomXvWT75zQDEPfafkzBqjY9aZVnUKUMc7+B YetwvUtr4l0gUmeWrtHmF62CgGsmxX4d06rKCXWV4/Xm8/lS3oZjt3d2Gg0irvAo 65Oyh8K2fzjZMnqEmH6Ob8zL5oUxCW6WgF3hhrqYekO8v2lohDiHY6mO9rJYmx9H wNXkSofw0dHmj6U1OPDwy6TSjQyPUuG2bdw+qt9hVv4ri1SBPusoTgl/LeC8uFqL Wf3hccPi1JWSIFM0Ir29zJ91NYA4394hO3HKDI5gS3n0kmxPpVnLC72elAHRXs07 l9oPoo+RM+L2AWi0LIhmMHA3oFfoTniPf8i/pabQi2oQtfMD24DJMW0Rge0UxDZp ZcK1NbUkRw+yLaHO7AjpdnHBKZmHNYl1PnsprRGydXx7yFPRv3uGnfKt4Xlc/qg0 kBEO8Ua/YsyRAnkc13K4RJe6tQfWsIVT4DRRoK6kCyawTOYgnc7rBtECAwEAAaNm MGQwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE FKAk2XOpBvIq4Qr7XexArJ9Ff9SNMB8GA1UdIwQYMBaAFKD5YDhS5G2fG1Gk1/U5 g8oI6YcjMA0GCSqGSIb3DQEBDQUAA4ICAQAIJnbFpFBrVcEUbRboXeX9mmfdyjeL dnntSb0D7M9uB4yPanS71Ya2QofKm+LiVOFzSEX8qFwafvvoQ/oWa4Ln1Fr5HpXO 9T1mDQ7dPZEinmstesr9L0lr2RYbA8tdYaxd9gxOVoR+5EnS+pKjYC7KRTrH39Xa q41l745CzoXvLz+QYIMvRTwZ9zdQw9B/sPAY/T83tH6C+fu6evosvQDI2V6HMQDz 9cFL9G+NDLryWNfhRXcvPKy4foGytcD4cP+GugUVop+UsKf2yueU7h+H/fYtgkW3 Hnl8Xb+YhlGq/GsX4yh1ZBuny2aDAahT4cJQAFzZcT6l4MmAaqJZxaNbhWPJmCy6 u1891JWVGaOtihI3VhN5Rhmr+JGVM6J2aT+3DVYtThlcoxCsvdMGIFgOhXkCeOHx cK3AnOVvBcSZIrkzZMdp2BGlIqpVayyEvdonunODs4tgiQoLPxLXZ8cK8aZNDQCh atsOim8xXlPxJkz0CN03N3gnbFAlN7TBxvE2olJFh1eewWkliTSX8m+y7RBa1eFS rNrFx8AdeueTCYd2k/8DKAd4YgUQH5RRhEFVa515sjZDk3EQrfNasttDT+25bSW+ FTewuajJAwxFGKIJ5bg2ecou9YGH3RgnxNYNFhbz6hZbGvX1/5A+4/8jN0k21K/i V/+5F0tMh3mcgQ== -----END CERTIFICATE-----
$ openssl x509 -in all_points_broadband_intermediate_ca_1.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 6e:94:f6:c1:85:82:dc:1d:43:5f:5d:7a:85:94:96:7c:aa:f7:56:de Signature Algorithm: sha512WithRSAEncryption Issuer: C=US, O=All Points Broadband, CN=All Points Broadband Root CA 1 Validity Not Before: Aug 5 14:23:00 2016 GMT Not After : Aug 5 10:23:00 2036 GMT Subject: C=US, O=All Points Broadband, CN=All Points Broadband Intermediate CA 1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:c4:fd:f1:dc:f2:97:4b:13:6b:78:6b:9b:92:72: 27:d6:98:a3:77:50:06:e0:cd:b2:9c:a7:83:10:18: 9a:7d:8b:a5:8d:4e:47:60:0a:6f:35:c4:02:fa:c3: 92:de:31:c1:ce:63:24:4f:48:d4:57:58:76:3d:c4: 6e:47:c2:26:7e:01:d3:48:cf:e1:87:4f:2a:bf:1c: d8:44:ad:46:3f:3c:2c:05:03:fb:4b:af:ac:37:58: f3:2b:5f:ad:ef:c3:93:1c:03:fc:0f:6f:8a:02:c8: 66:86:8b:1e:04:09:e2:6e:94:23:51:84:78:76:05: 47:43:7c:7e:09:c7:58:0e:22:d7:22:a9:32:a8:6a: 74:78:ad:26:91:47:71:91:77:62:e1:39:b2:29:c8: 92:43:04:3d:77:7c:56:7a:89:97:bd:64:fb:e7:34: 03:10:f7:da:7e:4c:c1:aa:36:3d:69:95:67:50:a5: 0c:73:bf:81:61:eb:70:bd:4b:6b:e2:5d:20:52:67: 96:ae:d1:e6:17:ad:82:80:6b:26:c5:7e:1d:d3:aa: ca:09:75:95:e3:f5:e6:f3:f9:52:de:86:63:b7:77: 76:1a:0d:22:ae:f0:28:eb:93:b2:87:c2:b6:7f:38: d9:32:7a:84:98:7e:8e:6f:cc:cb:e6:85:31:09:6e: 96:80:5d:e1:86:ba:98:7a:43:bc:bf:69:68:84:38: 87:63:a9:8e:f6:b2:58:9b:1f:47:c0:d5:e4:4a:87: f0:d1:d1:e6:8f:a5:35:38:f0:f0:cb:a4:d2:8d:0c: 8f:52:e1:b6:6d:dc:3e:aa:df:61:56:fe:2b:8b:54: 81:3e:eb:28:4e:09:7f:2d:e0:bc:b8:5a:8b:59:fd: e1:71:c3:e2:d4:95:92:20:53:34:22:bd:bd:cc:9f: 75:35:80:38:df:de:21:3b:71:ca:0c:8e:60:4b:79: f4:92:6c:4f:a5:59:cb:0b:bd:9e:94:01:d1:5e:cd: 3b:97:da:0f:a2:8f:91:33:e2:f6:01:68:b4:2c:88: 66:30:70:37:a0:57:e8:4e:78:8f:7f:c8:bf:a5:a6: d0:8b:6a:10:b5:f3:03:db:80:c9:31:6d:11:81:ed: 14:c4:36:69:65:c2:b5:35:b5:24:47:0f:b2:2d:a1: ce:ec:08:e9:76:71:c1:29:99:87:35:89:75:3e:7b: 29:ad:11:b2:75:7c:7b:c8:53:d1:bf:7b:86:9d:f2: ad:e1:79:5c:fe:a8:34:90:11:0e:f1:46:bf:62:cc: 91:02:79:1c:d7:72:b8:44:97:ba:b5:07:d6:b0:85: 53:e0:34:51:a0:ae:a4:0b:26:b0:4c:e6:20:9d:ce: eb:06:d1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE, pathlen:1 X509v3 Subject Key Identifier: A0:24:D9:73:A9:06:F2:2A:E1:0A:FB:5D:EC:40:AC:9F:45:7F:D4:8D X509v3 Authority Key Identifier: keyid:A0:F9:60:38:52:E4:6D:9F:1B:51:A4:D7:F5:39:83:CA:08:E9:87:23Signature Algorithm: sha512WithRSAEncryption 08:26:76:c5:a4:50:6b:55:c1:14:6d:16:e8:5d:e5:fd:9a:67: dd:ca:37:8b:76:79:ed:49:bd:03:ec:cf:6e:07:8c:8f:6a:74: bb:d5:86:b6:42:87:ca:9b:e2:e2:54:e1:73:48:45:fc:a8:5c: 1a:7e:fb:e8:43:fa:16:6b:82:e7:d4:5a:f9:1e:95:ce:f5:3d: 66:0d:0e:dd:3d:91:22:9e:6b:2d:7a:ca:fd:2f:49:6b:d9:16: 1b:03:cb:5d:61:ac:5d:f6:0c:4e:56:84:7e:e4:49:d2:fa:92: a3:60:2e:ca:45:3a:c7:df:d5:da:ab:8d:65:ef:8e:42:ce:85: ef:2f:3f:90:60:83:2f:45:3c:19:f7:37:50:c3:d0:7f:b0:f0: 18:fd:3f:37:b4:7e:82:f9:fb:ba:7a:fa:2c:bd:00:c8:d9:5e: 87:31:00:f3:f5:c1:4b:f4:6f:8d:0c:ba:f2:58:d7:e1:45:77: 2f:3c:ac:b8:7e:81:b2:b5:c0:f8:70:ff:86:ba:05:15:a2:9f: 94:b0:a7:f6:ca:e7:94:ee:1f:87:fd:f6:2d:82:45:b7:1e:79: 7c:5d:bf:98:86:51:aa:fc:6b:17:e3:28:75:64:1b:a7:cb:66: 83:01:a8:53:e1:c2:50:00:5c:d9:71:3e:a5:e0:c9:80:6a:a2: 59:c5:a3:5b:85:63:c9:98:2c:ba:bb:5f:3d:d4:95:95:19:a3: ad:8a:12:37:56:13:79:46:19:ab:f8:91:95:33:a2:76:69:3f: b7:0d:56:2d:4e:19:5c:a3:10:ac:bd:d3:06:20:58:0e:85:79: 02:78:e1:f1:70:ad:c0:9c:e5:6f:05:c4:99:22:b9:33:64:c7: 69:d8:11:a5:22:aa:55:6b:2c:84:bd:da:27:ba:73:83:b3:8b: 60:89:0a:0b:3f:12:d7:67:c7:0a:f1:a6:4d:0d:00:a1:6a:db: 0e:8a:6f:31:5e:53:f1:26:4c:f4:08:dd:37:37:78:27:6c:50: 25:37:b4:c1:c6:f1:36:a2:52:45:87:57:9e:c1:69:25:89:34: 97:f2:6f:b2:ed:10:5a:d5:e1:52:ac:da:c5:c7:c0:1d:7a:e7: 93:09:87:76:93:ff:03:28:07:78:62:05:10:1f:94:51:84:41: 55:6b:9d:79:b2:36:43:93:71:10:ad:f3:5a:b2:db:43:4f:ed: b9:6d:25:be:15:37:b0:b9:a8:c9:03:0c:45:18:a2:09:e5:b8: 36:79:ca:2e:f5:81:87:dd:18:27:c4:d6:0d:16:16:f3:ea:16: 5b:1a:f5:f5:ff:90:3e:e3:ff:23:37:49:36:d4:af:e2:57:ff: b9:17:4b:4c:87:79:9c:81</pre>
If I just have one RADIUS server, then I should simply be able to import only the server's certificate, right? I only need to import a signing cert if I might be talking to one of a pair of RADIUS servers who each have their own certificates. Isn't that correct?
Hi,
As per current design you have to include complete chain of cert, and not just intermediate certificate.
Please try by adding Root CA as well to intermediate CA cert and then upload.
I think I'm getting closer. I deleted both default certs. Then uploaded a certificate file that contains the root and the intermediate certs in PEM format, called 'chain.pem'. I click 'Import Certificate', and the display shows a few asterisks, then "Uploaded File" and "Done Receiving File". The 'Import Certificate' button text changes to 'chain.pem'. I wait a little more and the page refreshes but there's a quick flash of a message "Error: File bigger than max size". I click "Save Changes" , then "Reboot". After reboot, the default certificates are still there. I have included my cert chain below.
-----BEGIN CERTIFICATE----- MIIFnjCCA4agAwIBAgIUeVzSnM5DYi4hCiq/sIdVGJUQU7gwDQYJKoZIhvcNAQEN BQAwVTELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEFsbCBQb2ludHMgQnJvYWRiYW5k MScwJQYDVQQDEx5BbGwgUG9pbnRzIEJyb2FkYmFuZCBSb290IENBIDEwHhcNMTYw ODA1MTQyMzAwWhcNMzYwODA1MTAyMzAwWjBVMQswCQYDVQQGEwJVUzEdMBsGA1UE ChMUQWxsIFBvaW50cyBCcm9hZGJhbmQxJzAlBgNVBAMTHkFsbCBQb2ludHMgQnJv YWRiYW5kIFJvb3QgQ0EgMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB AJ4C0FYMWrpzOzubJm0AzbbBMjR5gqEyTp5s3LDHeMCoC2+WX0n3gEqaD/p8Fy02 FwV10iy3COElClCfaoLU8FE0isqc9Nr+deVb/bvMEgbEsJCjiLahmuYt/JAZemqy PyfDUXILZieTYEjDiap2rgJSqF5V9wX6KXylkbPKDbRamzZFQOrsspiBnsbAoGQs avuCmTS1ilX5S1UqEboidZq5WjUlOoMiptDpvE7FpAT7kYSDuG/XfRvR/nkLaEMl xCPn9OZ3tXMgwMzmIAkLw6q7J5C9RAozEBqufb6K2Da5EmFSEguj1wK+FbZw6zYv jKgyYoRsIGJKK10HmGBP7dj8gMa4TxE2EP3Ifgmdlic1gd5Trs7kgSMxocxHKvSj wvQbw3P9rY9Ie9kV7DIXMNIUJ3o5V0HjyyjEggcyE0lxValRULqD9XfjxkTdFfTZ uN6L/0kSnJ746asMg+LXgytq9RgqMXScZvHIkqaNEHJHgZ2ZqZfiEY7XG8WZrgKr semD6XGRCFoMWIP85PgnvOSvPKlTGYXKp2UsWkf4H6dfiNMId1bnKbNvveZ/G2lI 0f/9JpaHCY1zZQC8DmPZf84UZxi+3GV4StGOcN6RXrRch19l/BBTGIOt+genUyti 697Wof37hHlffCi8fS4iKcVKBD8TuKaglly7I/bapbnrAgMBAAGjZjBkMA4GA1Ud DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSg+WA4UuRt nxtRpNf1OYPKCOmHIzAfBgNVHSMEGDAWgBSg+WA4UuRtnxtRpNf1OYPKCOmHIzAN BgkqhkiG9w0BAQ0FAAOCAgEAl5O9Fig6rgCNLU0Vkmg17IUB5CFtveCo3BWgC7BB 1ZUri5EvmLO43ODPv1WUC/bCTc/4xZs+d4/sJ6NQ1manm2XxGNMgQOeNKGwk/1Lt jfR23MkN3G4FHrNeDduasqBRhj9pIYpAvTPgIYIiBGCf290dVl9XkUkJTxO1gI36 qnrjU4amF57A2O6hRWlbIZn2uTlXtNEB2wZY/iTD9QQCRs6V7Kk6Ock4IeidNI+o 0BgZ2AgnoXMsexugm0f1aT2dVCMCfNgIY3j8AZ0te9mgBsDJ4woJzuxNpjEfjLJX 82tBusrb3g8sNpYNXhSDkEpnGN6M+dBvrzlF3fTt8HCWT5d6M/Ds3b6sIx1kVDE6 G31KmUmd3et380G0NgBFyd3Qzsi2574ooMZHiUVpmSGDo3smrZtzHeGCpKD4Tidr y2q3pcuS9trpD65l4D0s4EzR7eQmeJu33LGT7SzBpDDpO2bmO8cJS7FMDYC6tKce ahEkcNQL59i0l9eTM4B3PSxbRwc4d2pcwkG+YotkNm1aFO+tuxXRXYaupKLDU5MS scH8V9RzBQD/Vi9J5U1+SbyoruXgkG9YMkGbpoUg3tdP3e43AtghVjK4VZpRlUSS wQYzEy2mvcs8/Z1YpP/NcyH0RUnFqmK+F9Nq6tlUcr4zjYjVEbKXjQlbnoJctE44 5uY= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFpjCCA46gAwIBAgIUbpT2wYWC3B1DX116hZSWfKr3Vt4wDQYJKoZIhvcNAQEN BQAwVTELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFEFsbCBQb2ludHMgQnJvYWRiYW5k MScwJQYDVQQDEx5BbGwgUG9pbnRzIEJyb2FkYmFuZCBSb290IENBIDEwHhcNMTYw ODA1MTQyMzAwWhcNMzYwODA1MTAyMzAwWjBdMQswCQYDVQQGEwJVUzEdMBsGA1UE ChMUQWxsIFBvaW50cyBCcm9hZGJhbmQxLzAtBgNVBAMTJkFsbCBQb2ludHMgQnJv YWRiYW5kIEludGVybWVkaWF0ZSBDQSAxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A MIICCgKCAgEAxP3x3PKXSxNreGubknIn1pijd1AG4M2ynKeDEBiafYuljU5HYApv NcQC+sOS3jHBzmMkT0jUV1h2PcRuR8ImfgHTSM/hh08qvxzYRK1GPzwsBQP7S6+s N1jzK1+t78OTHAP8D2+KAshmhoseBAnibpQjUYR4dgVHQ3x+CcdYDiLXIqkyqGp0 eK0mkUdxkXdi4TmyKciSQwQ9d3xWeomXvWT75zQDEPfafkzBqjY9aZVnUKUMc7+B YetwvUtr4l0gUmeWrtHmF62CgGsmxX4d06rKCXWV4/Xm8/lS3oZjt3d2Gg0irvAo 65Oyh8K2fzjZMnqEmH6Ob8zL5oUxCW6WgF3hhrqYekO8v2lohDiHY6mO9rJYmx9H wNXkSofw0dHmj6U1OPDwy6TSjQyPUuG2bdw+qt9hVv4ri1SBPusoTgl/LeC8uFqL Wf3hccPi1JWSIFM0Ir29zJ91NYA4394hO3HKDI5gS3n0kmxPpVnLC72elAHRXs07 l9oPoo+RM+L2AWi0LIhmMHA3oFfoTniPf8i/pabQi2oQtfMD24DJMW0Rge0UxDZp ZcK1NbUkRw+yLaHO7AjpdnHBKZmHNYl1PnsprRGydXx7yFPRv3uGnfKt4Xlc/qg0 kBEO8Ua/YsyRAnkc13K4RJe6tQfWsIVT4DRRoK6kCyawTOYgnc7rBtECAwEAAaNm MGQwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE FKAk2XOpBvIq4Qr7XexArJ9Ff9SNMB8GA1UdIwQYMBaAFKD5YDhS5G2fG1Gk1/U5 g8oI6YcjMA0GCSqGSIb3DQEBDQUAA4ICAQAIJnbFpFBrVcEUbRboXeX9mmfdyjeL dnntSb0D7M9uB4yPanS71Ya2QofKm+LiVOFzSEX8qFwafvvoQ/oWa4Ln1Fr5HpXO 9T1mDQ7dPZEinmstesr9L0lr2RYbA8tdYaxd9gxOVoR+5EnS+pKjYC7KRTrH39Xa q41l745CzoXvLz+QYIMvRTwZ9zdQw9B/sPAY/T83tH6C+fu6evosvQDI2V6HMQDz 9cFL9G+NDLryWNfhRXcvPKy4foGytcD4cP+GugUVop+UsKf2yueU7h+H/fYtgkW3 Hnl8Xb+YhlGq/GsX4yh1ZBuny2aDAahT4cJQAFzZcT6l4MmAaqJZxaNbhWPJmCy6 u1891JWVGaOtihI3VhN5Rhmr+JGVM6J2aT+3DVYtThlcoxCsvdMGIFgOhXkCeOHx cK3AnOVvBcSZIrkzZMdp2BGlIqpVayyEvdonunODs4tgiQoLPxLXZ8cK8aZNDQCh atsOim8xXlPxJkz0CN03N3gnbFAlN7TBxvE2olJFh1eewWkliTSX8m+y7RBa1eFS rNrFx8AdeueTCYd2k/8DKAd4YgUQH5RRhEFVa515sjZDk3EQrfNasttDT+25bSW+ FTewuajJAwxFGKIJ5bg2ecou9YGH3RgnxNYNFhbz6hZbGvX1/5A+4/8jN0k21K/i V/+5F0tMh3mcgQ== -----END CERTIFICATE-----
Also, we've upgraded this testing AP to 16.1
Maximum allowed size is 2560 bytes.
Can you try only uplaoding Root CA ?
Thanks,
Chitrang
When I import just the self-signed root cert, I get the asterisks, then "Uploaded file" and "Error opening file". Do you get something different with my certs?
Looks like there might be a filename length restriction on the certificate filename. When I renamed the root cert to "chain.pem" then the import worked successfully.
Ok. Root certificate has been imported. When I then import the intermediate, I get a flash of an error, "Cannot save file because it failed verification." I even imported the root, then rebooted and tried to import the intermediate. Both certs are included in an earlier comment.
Hi,
I am looking at how can we fix this.
Either increase size so that complete chain can be imported.
Or Allow import of itermediate CA certs.
Will update you.
Thanks
Hi,
Can you check the following:
1. Import Root CA only to the SM. their is no need of intermediate CA certs to be uploaded.
2.On your RADIUS server send complete chain i.e. Intermediate CA + Root CA for e.g. chain.pem
If you are using freeradius you have to add chain.pem in TLS CA_file section of eap.conf
Server certificate signed by this intermediate CA & Server Key should also be configured.
3. After this restart radius server and see if SM get authenticated or not , I tested these steps are it works for me.
So in short their is no need to import intermediate CA as all we store is trusted CA.
That appears to work. Thanks for working through it for me.