Configuration Guide How to Configure HTTPS Certificate to Avoid “Untrusted Certificate” Error
Background:
This post introduces the configuration steps for the HTTPS certificate with Omada Controller.
This Article Applies to:
Omada SDN software and hardware controllers.
Application Scenario:
When logging into the Omada Software Controller using a browser and entering the domain name “localhost:8043” (or the login domain name you assigned to the controller), you will receive the following “untrusted certificate” error message:
To eliminate the "untrusted certificate" error message in the login process, import the corresponding SSL certificate and private key issued by the certificate authority.
Configuration Steps:
Step 1. Import HTTPS Certificate File
1. Launch the Omada SDN controller, choose Global View, go to Settings > System Settings > HTTPS Certificate.
2. Choose File Format according to your HTTPS certificate and Import.
There are three options for File Format, JKS (default option), PFX and PEM:
- JKS: With this file format selection, it is required to upload an SSL certificate file with a .jks extension. Enter the Keystore Password if your SSL certificate has. Otherwise, leave it blank.
- PFX: With this file format selection, it is required to upload an SSL certificate file with a .pfx extension. Enter the Private Key Password if your SSL certificate has. Otherwise, leave it blank.
- PEM: With this file format selection, it is required to upload an SSL certificate file with a .pem extension and SSL Key file.
In this example, we choose PEM as the File Format.
3. After completing the upload of the corresponding file, you can see the name of the uploaded file. You can also delete and re-upload files.
4. Fill in other required entries, scroll to the bottom of the page, and click Save. The configuration will take effect after restarting the controller.
Step 2. Add Hosts Hijacking Entries and Flush DNS Resolution Cache
1. The hosts file is usually stored in a folder with the path "C:\Windows\System32\drivers\etc.”. Open the hosts file with Notepad, and add the hijacked entry:
“192.168. 7.21 tpwx.xxx”. Save the file.
The former part is the domain name of the controller; the latter is the domain name of your HTTPS certificate.
In this example, the domain name of the Controller is “192.168.7.21” and the domain name of the HTTPS certificate is “tpwx.xxx”.
2. Open the terminal, and enter the command “ ipconfig /flushdns “to flush the DNS resolution cache:
Verification:
Restart the controller (if your Controller was restarted after configuring Step 1, you don't need to restart it again), and enter the domain name “https://HTTPS certificate domain name:Controller port” in the address bar of the browser. In this example, the HTTPS certificate corresponds to the domain name “ tpwx.xxx ‘ and the controller corresponds to the port number 8043, so the domain name would be ’https://tpwx. xxx:8043 “:
We have successfully accessed the controller login page via the HTTPS certificate domain name, and there is no "untrusted certificate" error message.
Feedback:
- If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
- If there is anything unclear in this solution post, please feel free to comment below.
Thank you in advance for your valuable feedback!
------------------------------------------------------------------------------------------------
Have other off-topic issues to report?
Welcome to > Start a New Thread < and elaborate on the issue for assistance.
Create your own Certificate Authority (CA) and generate your Certificate for the omada controller.
Import the CA root certificate ca.pem in your Client Windows System
Install openssl on a linux system
1. CAkey - generate private key for Certificate Authority (CA)
openssl genrsa -aes256 -out root-ca.key 2048
2. CA - create CA root certificate ca.pem to import in Client System
openssl req -x509 -new -nodes -key root-ca.key -sha512 -days 3650 -out root-ca.pem -config root-ca.cfg
3. generate private key for target system ssl-key-private.pem (router, controller, switch,...) and Creating a Certificate Signing Request
openssl req -new -nodes -out ssl-certificate.csr -newkey rsa:4096 -keyout ssl-key-private.pem -config ssl-certificate-csr.cfg
4. Signing and create ssl-certificate.pem for target system
openssl x509 -req -in ssl-certificate.csr -CA root-ca.pem -CAkey root-ca.key -CAcreateserial -out ssl-certificate.pem -days 365 -sha256 -extfile ssl-certificate.cfg
#### ca.cfg
[ req ]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
[ req_distinguished_name ]
C = AT
ST = Vienna
L = Vienna
OU = IT
O = MyOrg
CN = MyOwn Root CA
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
### ssl-certificate-csr.cfg
[ req ]
prompt = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = AT
ST = Vienna
L = Vienna
OU = IT
O = MyOrg
CN = omada controller
### ssl-certificate.cfg
authorityKeyIdentifier=keyid,issuer
nsComment="OpenSSL Generated Server Certificate"
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
nsCertType=server
extendedKeyUsage=serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = omada.local
IP.1 = 192.168.0.100
