We have an issue with a third party SSL certificate (GoDaddy) in our new hivemanager virtual appliance. I created an new server CSR in the Hivemanager, exported the csr file and executed an certificat request at a third party company (offcours with the content of the csr file). The procedure at the third party is completed but when I want to use the certificat at the https settings of the hivemanager I get following error:
'Unable to install the certificate. An error occurred while installing the certificate file. There is either a mismatch between the certificate and private key or the private key password is incorrect.
At the hivemanager I use the pem file created at the server csr option. I used a password at the server csr creation and I’m 200% sure that it is the correct one that I use at the https settings.
Anyone a idea (or is there a manual for this procedure)?
In the 1024 bit and smaller certificate key days (the minimum is now 2,048 bit) you just needed the public certificate authority issued certificate and a root certificate. The root certificate would be automatically installed onto Windows devices using the Windows Update service. If you had a non- Windows wireless client, such as a Windows Mobile wireless scanner, you would export the appropriate root certificate from the Windows device and import it into the non-Windows wireless client. The role of the root certificate is to tell the device that any certificate signed (created) by the certificate authority who issued the root certificate is trusted. Without the root certificate for the certificate authority (the integrated HiveManager certificate authority, a public certificate authority or a Windows domain based certificate authority) the wireless client will not trust any certificate signed (created) by that certificate authority.
When 2,048 bit certificates got released it got a little bit harder as intermediate certificates are now required:
1,024 Bit - <Public CA Issued Certificate> <-> <Public CA Root Certificate>
2,048 Bit - <Public CA Issued Certificate> <-> <Public CA Issued Intermediate Certificate(s)> <-> <Public CA Root Certificate>
Each public certificate authority has a support area that allows you to obtain the appropriate intermediate certificate(s) and advises how to install them.
The "advantage" of using a public certificate authority certificate is that non-domain devices; such as guests and BYOD devices; should support them automatically. If you utilise the HiveManager integrated certificate authority you will need to push out to your domain devices the HiveManager integrated certificate authority root certificate via group policy to get the domain devices to trust any certificates issued by the HiveManager integrated certificate authority. For guest and BYOD devices you would need to manually install the HiveManager integrated certificate authority root certificate to get them to trust any certificates issued by the HiveManager integrated certificate authority. Of course, if you utilise a Captive Portal or Private PSKs to authenticate guests and BYOD devices then you will not have a certificate issue.
So, in your case I would:
1. Ignore the HiveManager integrated certificate authority as you have obtained a certificate from a public certificate authority (GoDaddy)
2. Obtain the intermediate certificate(s) from GoDaddy and follow the GoDaddy support articles on how to install them. I suspect that you may just need to install the GoDaddy issued certificate and the GoDaddy intermediate certificates into the HiveManager Certificate Management area (Configuration -> Advanced Configuration -> Keys and Certificates -> Certificate Management) and it is the intermediate certificates that you have missed:
<Public CA Issued Certificate> <-> BROKEN CERTIFICATE CHAIN <-> <Public CA Root Certificate>
Enable HTTPS: Select the check box to enable HTTPS on the captive web portal, and then select the certificate (in .pem format) that you previously loaded on the HiveManager and then uploaded to APs. (You can also use Default-CWPCert, which is the default certificate for captive web portals preloaded on HiveManager.) The AP hosting the captive web portal then uses HTTPS to secure traffic between the client and its captive portal web server.
The certificate file must have the following properties:
- The file format must be PEM (Privacy Enhanced Mail)
- It must contain a server private key stored in an unencrypted format
- It must contain a server certificate concatenated to the private key
Our GoDaddy wildcard certificate expired, and was renewed. It was a bit of a mission to figure out how to re-load this on our system, but it looks like it is working now. In case anyone else is trying to do this here is what we did.
the Cert. Because mine was a renewal I ended up rekeying the certificate,
although in hindsight I probably didn’t need to. To generate the Certificate
2. Pressing the Create will give a file with a CSR extension that you can open in Notepad & cut and paste to GoDaddy as part of the certificate creation. When the cert has been created download it. This will come as a ZIP file containing two files with CRT extensions.
3. One file is the server cert, the other is the cert chain. I merged the two by opening the server cert and pasting in the contents of the ‘gd_bundle-g2-g1.crt’ file immediately after the server cert with no carriage returns. This file was saved as wildcard.pem.
4. Import the certificate into Aerohive.
Note the files with the _key in the name. These are automatically created as part of the CSR.
5. From the Home tab, go to HiveManager settings, and in the right pane goto the HTTPS Certificate part. Choose Settings.
6. Import the cert.
If this is successful then you will need to restart the Hivemanager services.
Once this is done you will be able to connect to the FQDN of the Hivemanager page without certificate errors.
It is technically best practice to ensure that you have a discrete certificate per 'purpose', but nothing stops you technically from using the same certificate in multiple places.
OpenSSL at the command line can convert to and from all formats. This is well documented. If you Google search and go through a few tutorials and explanations, it should become clear to you.