NWA130BE - Import custom certficate and key (Let's Encrypt)

Dulcow
Dulcow Posts: 6  Freshman Member
First Comment

Hi there,

I tried several ways to import my custom certificate to my NWA130BE access points and I cannot seem to make it work. I would like to replace the default one by this certificate to remove the warning in Web Browsers.

The FQDN and certificate are working fine everywhere else (Proxmox, Portainer, etc.).

I have two files: certificate.pem and privkey.pem, not password protected.

How do I upload those on the access points and how do I enabled the Web server to use those?

I'm running the last firmware 7.00(2) but I doubt that the last one 7.0(3) will change anything here…

Thanks,

D.

Accepted Solution

  • Dulcow
    Dulcow Posts: 6  Freshman Member
    First Comment
    Answer ✓

    Hi Kay,

    I'm using this wildcard certificate for several endpoints with no issue. I will keep generating a separate certificates for Zyxel devices.

    Thanks,

    D.

All Replies

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,170  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @Dulcow

    To replace the default certificate with your custom Let's Encrypt certificate, please follow our detailed guidance here:

    If you've followed these steps and are still experiencing issues, please feel free to send your certificate files via private message so we can assist you further.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Dulcow
    Dulcow Posts: 6  Freshman Member
    First Comment

    Hi there,

    I came across this guideline document and does not seem to work at all for PEM files I'm getting via Let's Encrypt ("combined.pem" regrouping "fullchain.pem" containing intermediate and final certificate and "privkey.pem" containing ECDSA key).

    When using a PFX certificate with a password, it worked but it just means more operations when renewing my certificates…

    Thanks,

    D.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,170  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @Dulcow ,

    Could you please send us your PEM files via private message? We’d like to investigate this further.

    Thank you!

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,170  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @Dulcow

    Please try uploading your certificate under the Trusted Certificates tab. The My Certificate section only allows the import of a certificate that matches a corresponding certification request generated by the Zyxel device.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Dulcow
    Dulcow Posts: 6  Freshman Member
    First Comment

    Hi there,

    The import works, I can see the certificate in the "Trusted Certificates" tab but I cannot select it when configuring HTTPS service, it does not show in the list.

    How can I fix this?

    Thanks,

    D.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,170  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @Dulcow

    The server certificate dropdown list under System > WWW > HTTPS only displays certificates located in My Certificate.

    Once you successfully import the Let’s Encrypt certificate to the AP, it should work with the AP.

    Please check if the warning message still appears in your web browser when you access the AP web page. If it does, it may be because the certificate hasn't been fully validated by the CA server, or the IP address or FQDN hasn't been bound. Please confirm that the certificate has completed all necessary binding steps with the CA server.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Dulcow
    Dulcow Posts: 6  Freshman Member
    First Comment

    Hi Kay,

    It won't work by itself, like by magic :-(

    I have to tell one way or the other to the HTTP server which certificate to use. As expected, having just uploaded the "combined.pem" certificate in "Trusted Certificates" does not change anything to the Web endpoint which still uses the default self-signed certificate.

    There are no warning messages, no errors. It simply does not work by itself. So I'm asking again, how could I enable a PEM generated certificate to get SSL working with the AP Web interface?

    Thanks,

    D.

  • Zyxel_Kay
    Zyxel_Kay Posts: 1,170  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security

    Hi @Dulcow

    It sounds like the certificate may not fully align with the AP's requirements.

    When accessing the AP's management interface, the certificate needs to match the hostname used—whether it’s the IP address or a domain name. If you’re accessing the AP via an IP address, but the certificate only contains a domain name, or vice versa, this mismatch will prevent proper SSL functionality.

    From our review of the "combined.pem" certificate you shared, it appears the domain currently bound in the certificate is only as follows:

    To resolve this, you may need to rebind the certificate to the AP’s IP address or domain name as appropriate, ensuring it matches what you’re using to access the AP.

    Let me know if this helps, or if there’s anything else I can clarify.

    Kay

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

  • Dulcow
    Dulcow Posts: 6  Freshman Member
    First Comment
    Answer ✓

    Hi Kay,

    I'm using this wildcard certificate for several endpoints with no issue. I will keep generating a separate certificates for Zyxel devices.

    Thanks,

    D.