INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

WLAN Controller E-MSM720: Certificate problem

WLAN Controller E-MSM720: Certificate problem

(OP)
Hello
My company is going to use wireless at som branches and just bought a WLAN Controller E-MSM720, and 2 APs for wireless testing.
The WLAN Controller and APs are working good, but the website's security certificate problem and the warning of the red x error on the login page make users comfused and restless.

There is a problem with this website's security certificate.
The security certificate presented by this website was issued for a different website's address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
........
.......


We also tried some default HP Certificate Stores without luck

1 wireless.hp.internal wireless.hp.internal Web Management Tool, SOAP Server, HTML authentication, Billing records logging system
2 Dummy Server Certificate Dummy Authority RADIUS EAP
3 Management Console Default client certificate Management Console Dummy Authority HP Management console

We put an article of the problem on the HP forum and hoped that someone can help us, but no reply.
We also sent a mail to HP Networking for help and received only the request confirmation of support. We have been waiting for long time and no one could contact us.
Therefore we post the problem here and need your help
Could you please tell us how to solve the problem? and where can we buy such certificate to apply on the WLAN Controller?
Thank you!

Beste regards

Tri

RE: WLAN Controller E-MSM720: Certificate problem

So the only way to not get this is to either purchase a public trusted certficate and install to the controller for it to use for HTML authentication or use your own internal CA and generate a certificate for the controller. Your stations will have to of course trust your internal CA, so on non-domain joined machines, you would have to import the certificate into the unit's certificate store. That's why public certs are much easier to deal with sometimes.

I know there was a posting on the HP forum for the MSM series on certificates not too long ago, so just let me know if you need further info on this matter.

RE: WLAN Controller E-MSM720: Certificate problem

(OP)
Hello.
Thanks for your reply.
OK. We choose to use the own internal CA and generate a certificate for the controller. Could you please explain more details?
Yes, this certificate is for non-domain joined machines and smart telephones.

I took 2 screenshots of certificate storage and usage on the WLAN controll: http://itprof.no/Certificate.pdf.

Best regards

Tri

RE: WLAN Controller E-MSM720: Certificate problem

This should show you what you need to know for the controller. http://bizsupport2.austin.hp.com/bc/docs/support/S...
Then you will need to export your CA certificate from your internal CA and import it into your machines/devices as needed. Machines are easy enough (google on how to do this), smartphones are easy also, but different phones require different techniques. Again, just google search "import private CA certificate or internal certificate to _____ (whatever your phones/devices are, etc... apple, android, blackberry, etc...).

Now that your controller has a certificate from a CA and that machine/device trusts the CA, you will not be hit with that screen.

RE: WLAN Controller E-MSM720: Certificate problem

(OP)
Hello

Open "openssl" as administrator
1)req -new -newkey rsa:2048 -nodes -keyout wireless.domain.com.key -out wireless.domain.com.csr

2) x509 -req -days 4500 -in wireless.toa.no.csr -signkey wireless.domain.com.key -out wireless.domain.com.pem

3) pkcs12 -export -in wireless.domain.com.pem -inkey wireless.domain.com.key -out wireless.domain.com.p12

Installing the new SSL certificate onto Certificate Storage of the MSM is succeeded
And then I go to the Certificate Usage / Services PKI management and changed HTTP Authentication to wireless.domain.com

When the users open the browser and the warning is still there. What did I do wrong?
It works only when the users have to manuell install the certificate on Firefox and the users don`t have right to install the certificate on IE. Why?

Can you explain why?
Thanks

Best regards
Tri

RE: WLAN Controller E-MSM720: Certificate problem

(OP)
2) x509 -req -days 4500 -in wireless.domain.com.csr -signkey wireless.domain.com.key -out wireless.domain.com.pem

RE: WLAN Controller E-MSM720: Certificate problem

Did you manually install the CA certificate on your devices as I mentioned?
You mention IE, so on those you are talking about computers and not phone/devices. If these computers are not a member of the domain, then you will have to treat them the same as your phones/devices that are also not a member of your domain. Yes, you must have local box administrator rights to be able to install a certificate into the local computers certificate store. This is just the nature of the beast since you chose not to use a already publically trusted certificate. You have to install that certificate into every computer and device that is not domain joined. Domain joined computers would have authomatically trusted the domain CA and also, you could have pushed out additional certificates via GPO if need be.

RE: WLAN Controller E-MSM720: Certificate problem

(OP)
Hello

After creating a Certificate Signing Request (CSR) for an SSL certificate
This is what I used to create a 30 days Trial at the certificate vendor to get the certificate signed.
the certificate vendor sent back to me 2 files "Root CA.crt and Intermeidate CA.crt"

I tried to convert to PKCS #12 format, but it did not work.
I sent an mail to the certificate vendor and asked for help how to apply a certificate into the HP WLAN controller

The certificate vendor received my mail, but I have been waiting almost 3 weeks and still not get any response.
Could you please tell me how to convert the PKCS #12 format?

Thank you

Best regards

Tri

RE: WLAN Controller E-MSM720: Certificate problem

Page 17 of the pdf I provided a link to lays it out explicitly how to do this. Just make sure you are following the document correctly as I have done this using that document without issue.

RE: WLAN Controller E-MSM720: Certificate problem

(OP)
Hello again

I could convert from certi.key and certi.pem (a 30 days Trial) to certi.p12

certi.p12 is applied to Certificate and private key store on the HP WLAN Controller. It worked, and then I changed the certificate usages such as (Web Management Tool,SOAP Server and HTTP authentication to new certicate #12 format

The users see the new URL (no more wireless.hp.internal) at the login page, but the warning and the red X are still on the login page. Why

When I look the status sign at the management, it shows the yellow sign on th certi.12 and the HP Certificate defaults show green sign
The yellow sign, is it becuase a 30 days Trial certificate????

Something about Trusted CA certificate store and PKCS #7 file or X.509 certificate at the management
Do I need to convert to PKCS #7 file or X.509 certificate and then install on Trusted CA certificate store?


Please tell me what I did wrong here?

Thanks

Best regards

Tri



RE: WLAN Controller E-MSM720: Certificate problem

The CA certificate you are using, is it a public trusted CA in your local computer's certificate store? Someone like Digicert, Verisign, etc...?

RE: WLAN Controller E-MSM720: Certificate problem

(OP)
Hello
I created a Trial certificate from Verisign

I took 2 screenshots of the WLAN Controller Management: http://itprof.no/Certificate.pdf

At the first screenshot about Certificate stores
I just installed PKCS #12 format at Certificate and private key store
It shows the firth ID issued to firmainternal.wireless and shows the yellow sign.

I did not change anything Trusted CA certificate store.
Do I need to convert to PKCS #7 file or X.509 certificate and then install on Trusted CA certificate store?

At the second screenshot about Certificate usage
HTML authentication is changed to firmainternal.wireless
--------------------
Sorry, what do you mean with is it a public trusted CA in your local computer's certificate store?

Thanks your help

Best regards

Tri

RE: WLAN Controller E-MSM720: Certificate problem

(OP)
Hello
cajuntank, thanks for your help
I got the answer from one company and said that they don`t issuer the local certificate such as .private, .local, .wirelss. They issuer only domain certificate such as .com, .org,.net

Has anyone been involved in this case?

Thanks

Best regards

Tri

RE: WLAN Controller E-MSM720: Certificate problem

Retread through your postings to see if I ever missed you mentioning using a internal domain name for your certificate. Glad you figured it out and was I could assist.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close