Security has always been one of my high priorities – security of data, connection and people. So when we installed our managed wireless system a couple of years ago, I wanted to make sure the system was as secure as possible, and made users feel secure too. One of the ways to achieve this is a secure connection between the client, and the controller, to which they supply their login details.
I obtained and installed a certificate on our Ruckus ZD3000 two years ago, but failed to make note on how I completed it. The question has come up a number of time since on Edugeek, and I’ve struggled to remember the exact process. So due to the fact my original certificate is about to expire, I thought I’d take this opportunity to document the process.Log in to your Ruckus controller and go to Configure – Certificate.
You must create a request for the certificate, it is required by your certificate authority.
You will need to complete some information such as;
- Common Name: This is the name your users will primarily use to connect to the controller. I had already set up a new zone in DNS for wifi.school.leeds.sch.uk pointing to my controllers IP address.
- Alternative Name: I chose to fall back to an IP address if DNS was an issue. So I popped in my Ruckus controllers IP address.
- Organization: This is the name of the school, and should be the same as the name registered with your school.leeds.sch.uk domain name.
- Locality / City: In my case Leeds
- State / Province: West Yorkshire
- Country: United Kingdom
Then click apply.
You will be prompted to download a file. I renamed mine so it was called ‘wifi-certificate-request-2013.csr’
At this point you need to decide who you would like to generate your certificate for you. There are lots of companies available. I chose to use ipsCA simply because they give educational establishments a two year certificate for free. StartSSL also give one year certificates for free.
ipsCA require that you complete a simple form. The key here is to ensure that the details reflect your domain registration information. You can easily check your domain registration using nominet.org.uk/whois, whois.domaintools.com or whois.net. Once you have completed and check the form submit it for approval. This could be almost instant, or take a little bit of time depending on what they are able to check automatically. Unfortunately mine took a few hours, in which I had to click on verification links in emails, and have my [email protected] approved too.
After a while an email arrives with the certificate attached as a text file.
If you import this certificate (after renaming the text file to .cer) you will find that your users devices will still complain. They’re unaware of the organisation that signed the certificate. Therefore you must also install an intermediate certificate. If you’ve used ipsCA like me, I suggest getting the bundled certificate available here which will cover all eventualities.
Open the bundled certificate in Notepad or another plain text editor and copy the complete text (including the beginning and end lines). Then open your certificate and paste the bundled file text at the bottom of your certificate. It will end up looking something like this. Make sure you save it as a .cer file.
Click the Upload button and navigate to your certificate.
Click ‘Install this certificate and then reboot’ and finally click Import – This will reboot your controller.
Now when you log in, you’ll see a lovely green certificate notification in your browser, and your end users will not get any errors – that is until your certificate expires.
- Ruckus have allowed for intermediate certificate import in the GUI. However I couldn’t get it to recognise the ipsCA Level 1 certificate correctly, so would recommend doing it the manual way described above.