Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

WLAN Controller E-MSM720: Certificate problem

Status
Not open for further replies.
ngtri

ngtri

Programmer
Dec 7, 2004
53
NO
Hello
My company is going to use wireless at som branches and just bought a WLAN Controller E-MSM720, and 2 APs for wireless testing.
The WLAN Controller and APs are working good, but the website's security certificate problem and the warning of the red x error on the login page make users comfused and restless.

There is a problem with this website's security certificate.
The security certificate presented by this website was issued for a different website's address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
........
.......

We also tried some default HP Certificate Stores without luck

1 wireless.hp.internal wireless.hp.internal Web Management Tool, SOAP Server, HTML authentication, Billing records logging system
2 Dummy Server Certificate Dummy Authority RADIUS EAP
3 Management Console Default client certificate Management Console Dummy Authority HP Management console

We put an article of the problem on the HP forum and hoped that someone can help us, but no reply.
We also sent a mail to HP Networking for help and received only the request confirmation of support. We have been waiting for long time and no one could contact us.
Therefore we post the problem here and need your help
Could you please tell us how to solve the problem? and where can we buy such certificate to apply on the WLAN Controller?
Thank you!

Beste regards

Tri
 
Sort by date Sort by votes
So the only way to not get this is to either purchase a public trusted certficate and install to the controller for it to use for HTML authentication or use your own internal CA and generate a certificate for the controller. Your stations will have to of course trust your internal CA, so on non-domain joined machines, you would have to import the certificate into the unit's certificate store. That's why public certs are much easier to deal with sometimes.

I know there was a posting on the HP forum for the MSM series on certificates not too long ago, so just let me know if you need further info on this matter.
 
Upvote 0 Downvote
Hello.
Thanks for your reply.
OK. We choose to use the own internal CA and generate a certificate for the controller. Could you please explain more details?
Yes, this certificate is for non-domain joined machines and smart telephones.

I took 2 screenshots of certificate storage and usage on the WLAN controll:
Best regards

Tri
 
Upvote 0 Downvote
This should show you what you need to know for the controller. Then you will need to export your CA certificate from your internal CA and import it into your machines/devices as needed. Machines are easy enough (google on how to do this), smartphones are easy also, but different phones require different techniques. Again, just google search "import private CA certificate or internal certificate to _____ (whatever your phones/devices are, etc... apple, android, blackberry, etc...).

Now that your controller has a certificate from a CA and that machine/device trusts the CA, you will not be hit with that screen.
 
Upvote 0 Downvote
Hello

Open "openssl" as administrator
1)req -new -newkey rsa:2048 -nodes -keyout wireless.domain.com.key -out wireless.domain.com.csr

2) x509 -req -days 4500 -in wireless.toa.no.csr -signkey wireless.domain.com.key -out wireless.domain.com.pem

3) pkcs12 -export -in wireless.domain.com.pem -inkey wireless.domain.com.key -out wireless.domain.com.p12

Installing the new SSL certificate onto Certificate Storage of the MSM is succeeded
And then I go to the Certificate Usage / Services PKI management and changed HTTP Authentication to wireless.domain.com

When the users open the browser and the warning is still there. What did I do wrong?
It works only when the users have to manuell install the certificate on Firefox and the users don`t have right to install the certificate on IE. Why?

Can you explain why?
Thanks

Best regards
Tri
 
Upvote 0 Downvote
2) x509 -req -days 4500 -in wireless.domain.com.csr -signkey wireless.domain.com.key -out wireless.domain.com.pem
 
Upvote 0 Downvote
Did you manually install the CA certificate on your devices as I mentioned?
You mention IE, so on those you are talking about computers and not phone/devices. If these computers are not a member of the domain, then you will have to treat them the same as your phones/devices that are also not a member of your domain. Yes, you must have local box administrator rights to be able to install a certificate into the local computers certificate store. This is just the nature of the beast since you chose not to use a already publically trusted certificate. You have to install that certificate into every computer and device that is not domain joined. Domain joined computers would have authomatically trusted the domain CA and also, you could have pushed out additional certificates via GPO if need be.
 
Upvote 0 Downvote
Hello

After creating a Certificate Signing Request (CSR) for an SSL certificate
This is what I used to create a 30 days Trial at the certificate vendor to get the certificate signed.
the certificate vendor sent back to me 2 files "Root CA.crt and Intermeidate CA.crt"

I tried to convert to PKCS #12 format, but it did not work.
I sent an mail to the certificate vendor and asked for help how to apply a certificate into the HP WLAN controller

The certificate vendor received my mail, but I have been waiting almost 3 weeks and still not get any response.
Could you please tell me how to convert the PKCS #12 format?

Thank you

Best regards

Tri
 
Upvote 0 Downvote
Page 17 of the pdf I provided a link to lays it out explicitly how to do this. Just make sure you are following the document correctly as I have done this using that document without issue.
 
Upvote 0 Downvote
Hello again

I could convert from certi.key and certi.pem (a 30 days Trial) to certi.p12

certi.p12 is applied to Certificate and private key store on the HP WLAN Controller. It worked, and then I changed the certificate usages such as (Web Management Tool,SOAP Server and HTTP authentication to new certicate #12 format

The users see the new URL (no more wireless.hp.internal) at the login page, but the warning and the red X are still on the login page. Why

When I look the status sign at the management, it shows the yellow sign on th certi.12 and the HP Certificate defaults show green sign
The yellow sign, is it becuase a 30 days Trial certificate????

Something about Trusted CA certificate store and PKCS #7 file or X.509 certificate at the management
Do I need to convert to PKCS #7 file or X.509 certificate and then install on Trusted CA certificate store?


Please tell me what I did wrong here?

Thanks

Best regards

Tri



 
Upvote 0 Downvote
The CA certificate you are using, is it a public trusted CA in your local computer's certificate store? Someone like Digicert, Verisign, etc...?
 
Upvote 0 Downvote
Hello
I created a Trial certificate from Verisign

I took 2 screenshots of the WLAN Controller Management:
At the first screenshot about Certificate stores
I just installed PKCS #12 format at Certificate and private key store
It shows the firth ID issued to firmainternal.wireless and shows the yellow sign.

I did not change anything Trusted CA certificate store.
Do I need to convert to PKCS #7 file or X.509 certificate and then install on Trusted CA certificate store?

At the second screenshot about Certificate usage
HTML authentication is changed to firmainternal.wireless
--------------------
Sorry, what do you mean with is it a public trusted CA in your local computer's certificate store?

Thanks your help

Best regards

Tri
 
Upvote 0 Downvote
Hello
cajuntank, thanks for your help
I got the answer from one company and said that they don`t issuer the local certificate such as .private, .local, .wirelss. They issuer only domain certificate such as .com, .org,.net

Has anyone been involved in this case?

Thanks

Best regards

Tri
 
Upvote 0 Downvote
Retread through your postings to see if I ever missed you mentioning using a internal domain name for your certificate. Glad you figured it out and was I could assist.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AlphaMann
  • Locked
  • Question
Enabling DSCP 46 bit set priorization
Replies
0
Views
106
AlphaMann
AlphaMann
Wadoki
  • Locked
  • Question
What is the command to enable 3rd party SFP+ transceivers on HP switch?
Replies
0
Views
136
Wadoki
Wadoki
EdwardElric
  • Locked
  • Question
Port error not showing up (Hp V1910-24G Switch JE006A)
Replies
0
Views
108
EdwardElric
EdwardElric
Borvik
  • Locked
  • Question
HP ProCurve 5406zl routing problem
Replies
4
Views
113
Borvik
Borvik
bbensalem
  • Locked
  • Question
Problem with HP Access Point and Thin Client with Windows XP Embedded
Replies
1
Views
66
cajuntank
cajuntank

Part and Inventory Search

Sponsor

Back
Top