There are two types of certificates you may need to deploy to your device to successfully connect to a network: A User Certificate and a CA Certificate.
A User Certificate is like a username and password, and can be deployed as part of a ManageXR WiFi Network Profile. See the Adding a User Certificate to Connect to a Specific Network to learn more.
A CA Certificate helps your device trust a specific network - especially if it's using a firewall with a self-signed certificate. If you use a self-signed certificate on your network, you likely need to add this CA cert to the device as a globally trusted CA. See the Adding a Trusted Self-Signed CA Certificate to a Device to learn more.
Adding a User Certificate to Connect to a Specific Network
If you're using an Enterprise network that requires a User Certificate, then you should create a ManageXR WiFi Network Profile with the following details:
SSID: <Your Network SSID>
Network Type: WPA/WPA2-Enterprise
EAP Method: TLS
Identity: <Your User Name/ID>
User Certificate: <Your User Certificate in PEM format>
A common report we receive is that an enterprise wifi network with a user certificate was deployed to a device, but it fails to sync, and the device fails to connect to the network.
To resolve this, you need to make sure you've deployed the correct user certificate. When you generate a user certificate, it is typically generated in a different format (p-12 or .pfx) than ManageXR wants it (.pem). So, we must convert our p-12/.pfx file to a PEM file, which is a non-binary, copy/pastable version of the binary .p-12 or .pfx certificate.
Once we've acquired a p-12 or .pfx, we need to extract the information from this file using OpenSSL. This can be done through OpenSSL in the command line by running the following command:
openssl pkcs12 -info -in FILE_PATH_TO_P12_FILE -nodes -out PATH_TO_EXPORTED_PEM_FILE. Detailed information about this process can be found in this article - Export Certificates and Private Key from a PKCS#12 File with OpenSSL.
Now you can copy the contents of the newly created PEM file and paste them into the User Certificate field in your Enterprise WiFi Network Profile on ManageXR! Deploy this network to your device, and you'll be all set.
Adding a Trusted Self-Signed CA Certificate to a Device
Some networks use a self-signed certificate. By default, a self-signed certificate is untrusted by a device. When this happens, a device will be able to connect to the network, but it will not trust any of the web traffic and thus will not be online. To fix this, we must add the CA Certificate to the device as a trusted cert. This cert isn’t associated with a specific network. Instead, it is added to the device as a globally trusted CA.
ManageXR can deploy these trusted CA certs on a per-configuration basis. They will be formatted in either a .pem, .crt, or .cer file.
To do this:
Upload your certificate file to the Files library.
Reach out to firstname.lastname@example.org and request this cert to be applied to a specific configuration. Please include the configuration name in your support ticket. Now, any device that is assigned this configuration will have this cert deployed as part of the configuration.