Page 1 of 1

Capsman redundancy certificate issue

Posted: Wed Jun 28, 2017 4:32 pm
by petterg
I'm testing out capsman... As it seems to introduce a single point of failure (if the capsman goes down, all CAPs are disabled) I'm trying to setup a second CAPsMAN. The idea is that the CAPs will use the second one when the primary goes down.

So I did /capsman export compact on the one running, using that to configure the second.
I let the second one generate new certificates.
Now when the CAPs try to connect to the second CAPsMan, they log
CAP selected CAPsMAN MenCAP (6C:3B:6B:B4:C4:19/7/0)
CAP connect to CAPsMAN MenCAP (6C:3B:6B:B4:C4:19/7/0) failed: timeout
CAP failed to join MenCAP (6C:3B:6B:B4:C4:19/7/0)
This comes no matter if the CAP is set to use the cert issued by the first CAPsMan, or if it's set to request cert.

So I tried to export both CAPsMan certificates and the CAP certificate from the first CAPsMan. Now, when I import those certs on the second, the don't get flagged with 'K'. I guess that's a source of the alternative issue:
When second CAPsMan is set to use the certs from first CAPsMan, the CAPs log:
CAP selected CAPsMAN MenCAP (6C:3B:6B:B4:C4:19/7/0)
CAP connect to CAPsMAN MenCAP (6C:3B:6B:B4:C4:19/7/0) failed: handshake failed: self signed certificate in certificate chain (6)
CAP failed to join MenCAP (6C:3B:6B:B4:C4:19/7/0)
So how should I setup a second CAPsMan?

Re: Capsman redundancy certificate issue

Posted: Wed Jun 28, 2017 10:46 pm
by petterg
I think I found the answer here
There is also quick and dirty way to do what you want - just export the certificate on your old CAPsMAN along with its private key. You do this by: /cert export-certificate 0 export-passphrase=12345678, it will generate 2 files - certificate and key. Then import it in new CAPsMAN. Beware - auto-generated certificates include device's MAC address in CommonName. Currently this is not being checked, but this can change.
What I've done is the export cert from first CAPsMan, including the key. It turns out that export-passphrase is the trick to include the key when exporting cert. My mistake in that matter was that there's no need for an export-passphrase i my test setup. Then I set CAPsMan to use this CA cert, and auto-generate its own cert. When auto had generated the cert I changed cert setting from auto to the new cert.
On the CAP I changed cert from 'request' to the cert it got when first connected to the primary CAPsMan.
So far I haven't run into any problems with this. I'll assume things will be messed up if I setup a new CAP while the master CAPsMan is down. I'm not even going to test that.

Feature request for winbox: Put a note in the export dialog box stating that passphrase is required to export with key.

Re: Capsman redundancy certificate issue

Posted: Sun Jan 20, 2019 1:44 pm
by gbudny

I had the same concern while planning to have redundant CAPsMAN. Solution worked for me ! Thanks a lot :)
it is good to have certificate and lock to CAPsMAN feature on as e.g I had an issue that 3 controllers were in the same network due to customer limitations and APs roamed randomely between all CAPsMANs as it is discovery based.

Thanks again ;)