@mohkhalifa, note that the proprietary JKS format is deprecated. You can use PKCS12 format directly.

See this post how to import a certificate in PKCS12 format in Omada Controller. Albeit the post explains the steps necessary under Linux, you can apply them to Windows, too, if you have openssl and the JDK's keytool utility. Probably the web UI of SDN Controller also accepts PKCS12 format, didn't test this (yet).

Hi mohkhalifa,

yes, as I wrote I didn't try uploading the cert through the web UI, but I checked: it indeed accepts only JKS format, which is bad.

Why is it bad? Because JKS certificates are based on an old, proprietary format (outdated since 2014), that is not easily extensible to new cryptographic algorithms. Old ones will still be supported in the future by the JDKs, but new cryptographic algorithms might not be supported at all, so the conversion of SSL certs to PKCS12 is just a matter of time when new cryptographic algorithms are used for the certs.

Anyway, the method to install a PKCS12 cert by manually copying it to the keystore still works fine with SDN Controller.

So, Omada SDN Controller does indeed accept PKCS12, which is no surprise because PKCS12 is supported by any JDK since JDK 8 released in 2014. It's just the SDN Controller's web UI which does not allow uploading PKCS12. I consider this a bug.

I prefer the openssl method b/c of several reasons, the most important one is that for certificates signed by a public or a private CA I have to generate a CSR using openssl anyway. So I convert the resulting certs into other formats also with openssl.

For systems in my LAN I do not buy certificates, but use self-signed certificates under my own Certificate Authority. By using a wildcard certificate with a subnet IP as SAN I can create and sign a single certificate for all local hostnames as well as for all local IPs of devices in my LAN, be it a router, a switch, a server or a service. And I just have to install the RootCA cert in a bowser's keychain once, not dozens of individual certificates for each host/service. Pretty easy.

But you are absolutely right that any certificate manager can be used for those who prefer a graphical UI. I fully agree with you in this point.

I just wanted to point out that using JKS format is deprecated for 6 years now and since you had to create a PKCS12 anyway with Keystore Explorer, you could have even saved one step in the conversion process. There is nothing wrong to use this fine software to convert and manage certs. See http://openjdk.java.net/jeps/229.

The only difference to use the PKCS12 format would be to not use the web UI for uploading, but to copy the file to the Omada SDN Controller home directory resp. the keystore in it, at least until this bug in the web UI of accepting only JKS format will have been fixed by TP-Link.

For OC200 HW Controller, unfortunately this is no option.

Installing the certificate in PKCS12 format manually into the keystore is just a matter of seconds. Creating the certificate can still be done in any way one likes.