Hi all,
We're doing some consultancy for a large organisation with many access points all configured using CAPSMAN. They were originally configured with all services (DHCP/NTP/CAPSMAN/Hotspot/Firewall/LNS etc.) all running on one CCR. We need to split them out to separate boxes (and virtualise some of them) to make the network more manageable.
The first step is to migrate the CAPSMAN and hotspot. Hotspot is easily done - just export/import the configuration and files and it all works. CAPSMAN is a different kettle of fish.
We've set this up and tested it in the lab and we've had all sorts of problems - all related to certificates. The only reliable way of migrating it is to take a backup on the original box, import it on the new one and then delete the unnecessary configuration - this all works when the new and old boxes are the same, but obviously this is going to be problematic if they're not.
So, the steps we've taken are:
1 - Export CAPSMAN configuration from old box
2 - Export certificates from old box
3 - Import configuration to new box
4 - Import certificates to new box
5 - Rename certificates on new box to match certificates on old box
6 - Configure CAPSMAN on new box to use the certificates imported from the old box
But all I'm getting is ":ffff:10.10.10.123:47023 failed to connect, no key for certificate found (6)"
Clearly I'm missing something and I'm not even sure that this is the 'correct' way to migrate CAPSMAN anyway (having to rename the certificates is a pain in the rear). I've checked through the certificates (and even wiped the configuration and started from scratch to make sure I haven't missed anything), but I still get this key error.
So the questions are:
1 - Is there a way of backing up certificates/keys on one RouterOS box so that they can be imported to a new box and just work?
2 - is there a documented, 'correct' way to migrate a CAPSMAN instance (configuration and certificates)?
Obviously I can do the migration by starting from scratch and resetting each AP, but it would be preferable to just have everything work straight away rather than have to change the configuration on each of the many many APs.
Cheers,
Nicholas.