Certificate Management

Navigation

Navigate using the tab icons. Hover over an icon to see the name of the tab.

Configure > Common Objects > Certificate > Certificate Management

Also see Create a Certificate and Key.

View Certificates

To support secure wireless client traffic and captive web portal configurations using HTTPS, ExtremeCloud IQ provides features that allow you to view and manage Certificate Management objects. Features include viewing captive web portal certificates, creating a ExtremeCloud IQ CA, creating a Server CSR, concatenating an existing certificate and private key, and creating a new self-signed certificate. To generate and use Certificate Management objects, you must enter required information such as the Common Name, Organization Name, Validity, Password, and other details. See Create a Certificate and Key. This windowalso provides detailed descriptions of all the user fields to help you to use digital certificates. Here is a short overview of each of the four windows in ExtremeCloud IQ where you can create digital certificates.

The table on this window contains the following information about existing certificates:

Generate Certificates

You can view each of the four windows by selecting Add. For configuration details, see Create a Certificate and Key.

HiveManager CA: This window allows you to generate your own CA (certificate authority) certificate.

Server CSR: The server CSR (certificate signing request) consists of three parts that are used during the verification process with a client that is seeking to securely communicate with a server. The first part consists of a number of fields describing the content of the certificate—subject name, issuing CA name, signature method (RSA or DSA), validity time period, and so on—in plaintext. The second part is the server's public key. The third part consists of the same fields hashed with the server's message digest, or public key, and then encrypted with the issuing CA digital signature (the ExtremeCloud IQ CA, for example) private key.

Concatenate an existing certificate and private key: One of the options in a captive web portal configuration is to secure wireless client traffic using HTTPS. The type of web server that an Extreme Networks device supports requires that the server certificate be concatenated with an unencrypted private key that corresponds with the public key in the certificate. In this window, you can concatenate an existing server certificate and private key or generate a new self-signed server certificate that already has the private key and certificate concatenated.

Self-signed certificate: In this window, you can generate a new self-signed server certificate that already has the private key and certificate concatenated.

Import a Certificate File

If you use a third-party CA to sign certificates, you can first generate and export a CSR, then send it to the CA, and finally—when the CA returns the signed certificate and private key file—import the certificate intoExtremeCloud IQ.

Extreme Networksdevices supportPEM-formatted certificates (Privacy Enhanced Mail) for all features that make use of certificates:

• AP VPN server authentication: The AP VPN server certificate must be in PEM format and cannot be password-encrypted.
• AP RADIUS authentication server using TLS (Transport Layer Security), TTLS (Tunneled Transport Layer Security), or PEAP (Protected Extensible Authentication Protocol): The server certificate for anExtreme NetworksRADIUS authentication server must be in PEM format and can be either password-encrypted or not.
• Communications between a RADIUS server/LDAP client and an LDAP user database server secured through TLS: The server and CA certificates on theExtreme NetworksRADIUS server/LDAP client must be in PEM format and can be password-encrypted or not.

To import a certificate file:

1. Select .
2. Enter the path and file name in the Certificate File field, or select Browseand navigate to the location where you previously saved the file.
3. Select Open, and then Import, or to cancel the import operation, select Return.
4. Repeat these steps to import other certificate and key files. To cancel the import operation, select Return.

If you import certificates in PFXorDER formats, you must use the conversion tool to reformat them as PEM files. To import a PFX-formatted file, which contains a certificate and private key combined, and convert its format from PFX to PEM:

1. Select .
2. Enter the path and file name in the Certificate File field, or select Browseand navigate to it.
3. Select Convert the certificate format from PFX to PEM.
4. Enter the password that was used to encrypt the PFX file.
5. Select Save, or to cancel the import operation, select Cancel.

Note

Later, when you use the PEM-formatted file that contains both the certificate and private key, you must choose the same file for both the Certificate and Private Key fields.

To import a pair of DER-formatted files, one containing a certificate and the other its accompanying private key, and convert their format from DER to PEM:

1. Select .
2. Enter the path and file name for the server certificate file in the Certificate File field, or select Browseand navigate to it.
3. Select Convert the certificate format from DER to PEM.
4. Select the type of file your are importing; in this case,Certificate.
5. Select Save, or to cancel the import operation, select Cancel.
6. To import the private key file matching the public key in the certificate you just imported, repeat steps 1 - 3 but select Keyfor the file type.
7. When importing a DER-formatted private key, enter the password that was used to encrypt the file.
8. Select Save, or to cancel the import operation, select Cancel.

Export a Certificate File

You must export the ExtremeCloud IQCA certificate and send it to wireless clients for use when verifying the server certificates that Extreme NetworksRADIUS servers send them. Extreme NetworksRADIUS servers send server certificates to authenticate themselves when performing TTLS (Tunneled Transport Layer Security), PEAP (Protected Extensible Authentication Protocol), and TLS (Transport Layer Security).

Note

If you want to provide mutual authentication between RADIUS supplicants and a RADIUS server, use TLS and provide each supplicant with a client certificate. Because ExtremeCloud IQdoes not generate client certificates, you must obtain client certificates, server certificates, and the issuing CA's CA certificate from a third-party certificate authority. Then load the client and CA certificates on the supplicants and the server and CA certificates on the RADIUS servers.

You must export CSRs (certificate signing requests)—and the encrypted private keys that correspond with the public keys in those CSRs—so that you can send them to third-party CAs for signing.

It is unnecessary to export server certificates(and their corresponding private keys) because they are only intended for use by Extreme NetworksRADIUS servers. You can upload server certificates and private keys directly from ExtremeCloud IQ to APs.

When using certificates on RADIUS servers, you must select them when configuring the RADIUS server settings.

To export a CA certificate file for use by wireless clients or a server certificate for use by Extreme Networks RADIUS authentication servers:

1. Choose a single file in the list, and then select Export, or to cancel the export operation, select Cancel.
2. Navigate to the location where you want to save the file, and then select Save.
3. Repeat these steps to export other certificate and key files.

Export a CWPCert.pem File

To export a CWPCert.pem file:

1. Choose a single file in the list, and then select Export, or to cancel the export operation, select Cancel.
2. Navigate to the location where you want to save the file, and then select OK.
3. Repeat these steps to export additional certificate files.

Remove a Certificate File

To remove a certificate or key file, select the one that you want to remove, and then select . A removal confirmation message appears. To confirm the removal, select Yes. To cancel the removal, select No.

More About the Client Verification Process

The verification steps that the client uses to verify that the server certificate is authentic is described below.

For the client device to verify that the server certificate is authentic, it undergoes a number of steps. First, it uses the public key in the CA certificate that it already has to decrypt the hash provided by the server certificate. It then uses the server's public key to create another hash of the plaintext content. And lastly, it compares the two hashes. If both hashes match, then the authentication check is successful. If not, the check fails and the HTTPS connection is unable to be completed.