My web browser is now nagging me about TLS / https: when I want to administer my ZyXEL WAPs over http(s). It moans when I use different domain names, or when I use literal IPv4 addresses.
My ZyXEL NWA-3560-N WAPs have alternative dns names set up:
wap-01,
wap01 and longwinded alternatives
wap-01.mydomain.example.com for the first WAP, then
wap-02 etc. The short forms, for convenience, are set up within my Firebrick router, which is the local on-LAN DNS server, and so these short names are only recognised when queried inside the LAN and queries are answered by the Firebrick. The longwinded name is defined in the real DNS by my main DNS servers and is visible on the internet.
There is a mountain of stuff in the WAP NWA-3560-N documentation which I don’t understand about certificates and I presume I would have to get stuck into this somehow in order to make https on the WAP work properly and make the browsers happy. I have no idea what I am doing with all of it.
Has anyone here ever done this successfully?
I have no idea how to fill in the stuff in the WAP UI relating to certificates, nor how to get a certificate. There is some mention of facilities provided by the WAP itself, if I am understanding the docs correctly, that will fetch a cert from the internet, and maybe this will get some server to generate an appropriate cert for you. There are also facilities to import a certain in a file into the WAP, but you have to have obtained that yourself somehow.
Another question: Is it possible to have TLS / https set up so that more than one domain name will be recognised as ok if a browser presents one of various alternative forms?
If anyone is very bored, the ZyXEL NWA 3560-N docs are at:
ftp://ftp.zyxel.com/NWA3560-N/user_guide/NWA3560-N_.pdfI read this
https://www.globalsign.com/en/blog/certificates-for-internal-servers/which says that I can’t now get a general browser-trusted real cert for a short name that is not a publicly recognised FQDN. I can see the reasoning. It is a bit of a nuisance though, especially if the IP address is not an RFC1918 one, a link-local one or some other kind of non-unique address.
The docs say that the WAPs can generate self-signed certs. I don’t know if a browser could just be made to shut up and no longer moan in future, having been told that one if these is always ok.