Skip to main content

Deploying Enterprise Wi-Fi Certificates on ManageXR

Configuring enterprise network certificates for your VR Device

Written by John Morgan
Updated this week

Are you trying to deploy a certificate to a device? This guide covers three common certificate deployment scenarios:

  1. Authentication Certificates for WPA/WPA2/WPA3-Enterprise TLS networks, also known as User/Device/Client Certificates

  2. CA Certificates for RADIUS Authentication on WPA/WPA2/WPA3-Enterprise networks

  3. Self-Signed CA Certificates for Content Filtering Systems or reverse proxies

Understanding Certificate Types

Authentication Certificates

Also known as: User certificates, device certificates, or client certificates

You need this if: Your network uses EAP-TLS authentication

How it works: Authentication certificates act like a username and password, enabling you to connect to a TLS network.

CA Certificates (Certificate Authority Certificates)

You need this if: You're configuring an enterprise network through ManageXR

How it works: CA Certificates verify you are connecting to the correct enterprise network, enabling you to connect to an enterprise network

Note: Some devices were previously able to connect to Enterprise networks without a configured CA certificate; however, Android 14 devices now require CA certificates, which may require some customers to update their Wi-Fi configurations. This includes Pico 4 Ultra Enterprise and Meta Quest devices on v76+.

Content Filtering CA Certificates

You need this if: Your network has content filtering or packet inspection.

How it works: Allows devices to trust traffic inspection by content filtering systems or reverse proxies.

Hint: You likely need to configure a Content Filtering CA Certificate if your devices connect to Wi-Fi but cannot communicate with the internet.

How to Upload Certificates

All certificates must be uploaded to ManageXR before deployment. This process is the same for all types of certificates.

  1. Navigate to Wi-Fi Networks in the ManageXR sidebar

  2. Click the Certificates tab

  3. Click "+ Add" to open the certificate uploader

  4. Drag and drop certificate files, or click to browse. You can select multiple files, certificates, and folders

  5. Enter the certificate password if prompted

  6. Give each certificate a descriptive name for easy identification

  7. Click "Save" to add the certificates to your library

The uploader will validate your certificates and alert you to any issues, such as missing components in a certificate chain, expired certificates, or authentication certificates without private keys.

Troubleshooting Uploading Certificates

Authentication certificate requires a private key. Please upload the certificate with its private key.

Authentication certificates (also known as user / device / client certificates) must be uploaded as a certificate private key pair. Please locate the corresponding private key, and upload it alongside the certificate to resolve this error.

This certificate is invalid or could not be parsed.

The uploader will reject invalid or corrupted certificates. If your certificate was exported from a certificate store or converted from a different format, try re-exporting your certificate to resolve this error.

Deploying Authentication Certificates

Use this section only if your Wi-Fi network uses EAP-TLS authentication and requires user or device certificates.

  1. Upload your authentication certificate

  2. Duplicate your existing Wi-Fi network in ManageXR and give it a test nickname

  3. Open the duplicated Wi-Fi network, select your Authentication certificate from the dropdown, and click "Save"

  4. Create a new configuration by duplicating your current configuration and replace the Wi-Fi network with the test version

  5. Assign the new configuration to a single device to verify connectivity

  6. Once successful, add the authentication certificate to your main Wi-Fi network and remove the test network and configuration

Troubleshooting Authentication Certificates

Device won't connect to the network

If the certificate is invalid or incorrect, devices cannot connect and will remain offline. Check RADIUS server logs with your IT administrator to identify rejection reasons, then update the certificate in ManageXR.

Deploying CA Certificates

Finding Your CA Certificate

Method 1: Find the Certificate from a Connected Computer

(macOS)

Step 1: Identify the CA from Network Settings

  1. Click the Wi-Fi icon in the top menu bar and select Wi-Fi Settings

  2. Select your connected Enterprise Wi-Fi network

  3. Click Details (macOS Ventura+) or Advanced (older versions)

  4. In the 802.1X tab, note the identity or user name

Step 2: Find the CA Certificate in Keychain Access

  1. Open Keychain Access (Applications > Utilities)

  2. Select System or login keychain in the left sidebar

  3. Click Certificates under Category

  4. Look for a certificate matching your organization's name

Step 3: Verify the Certificate

  1. Double-click the certificate

  2. Check the Trust section (should show Always Trust or System Default)

  3. Review issuer and expiration date in the Details section

Step 4: Export the Certificate

  1. Select the CA certificate

  2. Right-click and choose Export

  3. Save as a .pem file (Base64-encoded format)

(Windows)

Step 1: Open Certificate Manager

  1. Press Windows Key + R

  2. Type certmgr.msc and press Enter

Step 2: Locate the CA Certificate

  1. Expand Trusted Root Certification Authorities > Certificates

  2. Look for a certificate matching your organization or network provider

Step 3: Verify the Certificate

  1. Double-click the certificate

  2. Check Details, Issuer, and Validity Period

Step 4: Export the Certificate

  1. Right-click the certificate

  2. Select All Tasks > Export

  3. Choose Base64-encoded (.pem) format

Method 2: Extract CA from Your RADIUS Server Certificate

(macOS)

Step 1: Get Your RADIUS Server Certificate

  1. Download or export the certificate your RADIUS server uses. Note: This is not the CA certificate itself, but will help you identify the correct CA.

Step 2: Inspect the Certificate Using OpenSSL

  1. Open Terminal

  2. Run: openssl x509 -text -in ~/path/to/certificate.pem

Step 3: Check If It's a CA Certificate

  1. Look for the X509v3 extensions section. If it shows CA: TRUE, this is a CA certificate (skip to step 6). If CA: FALSE, continue to the next step.

Step 4: Identify the CA Certificate Issuer

  1. Find the Issuer field near the top of the output. This shows who issued the certificate. Example: CN = Thawte TLS RSA CA G1

Step 5: Download the CA Certificate

  1. Visit the CA's website (most CAs list their root certificates online)

  2. Example: DigiCert's list is at https://www.digicert.com/kb/digicert-root-certificates.htm

  3. Find and download the matching certificate in PEM format.e.g. (e.g., Thawte TLS RSA CA G1)

(Windows)

Step 1: Get Your RADIUS Server Certificate

  1. Download or export the certificate your RADIUS server uses. Note: This is not the CA certificate itself, but contains the issuer information you need.

Step 2: Open the Certificate

  1. Double-click the certificate file

  2. Switch to the Details tab

  3. Find the Issuer field—this shows which CA issued it

Step 3: Confirm It's Not a CA Certificate

  1. In the Details tab, find Basic Constraints. If it says Subject Type=End Entity, this is not a CA certificate. If it says Subject Type=CA, skip to Step 5.

Step 4: Download the CA Certificate

  1. Visit the CA's website

  2. Example: https://www.digicert.com/kb/digicert-root-certificates.htm

  3. Find the certificate matching the Issuer CN from Step 2

  4. Download in PEM format

Finding Your RADIUS Server Domain

The domain field specifies the expected domain name of your RADIUS server's certificate. This ensures devices connect to the correct authentication server.

Method 1: Ask Your IT Administrator

The simplest method—your IT administrator can provide the exact domain name used in the RADIUS server certificate.

Method 2: Check an Existing Connection (macOS)

  1. Connect to your enterprise Wi-Fi network

  2. Click the Wi-Fi icon and select Wi-Fi Settings

  3. Select your network and click Details

  4. In the 802.1X tab, find Server Certificate Names

  5. Note the domain (e.g., radius.yourcompany.com)

Method 3: Inspect the RADIUS Server Certificate

If you have the RADIUS server certificate file:

  1. Open it in your certificate manager

  2. Look in the Subject field or Subject Alternative Name (SAN) field

  3. The domain will typically be listed as CN=radius.yourcompany.com

Finding Your Identity

The identity field specifies how the device identifies itself to the RADIUS server during authentication. This is particularly important for PEAP and TTLS authentication methods.

Method 1: Ask Your IT Administrator

Your IT administrator can tell you the expected identity format. Common formats include:

  1. Username only: user123

  2. Email format: user@company.com

  3. Domain\username format: DOMAIN\user123

Method 2: Check an Existing Connection (macOS only)

  1. Connect to your enterprise Wi-Fi network

  2. Click the Wi-Fi icon and select Wi-Fi Settings

  3. Select your network and click Details

  4. In the 802.1X tab, look for Identity or User Name

  5. Note the format used

Note: For EAP-TLS authentication using certificates, you may not need to specify an identity as the certificate itself provides identification. For PEAP and TTLS, the identity is typically required.

Deploying a CA Certificate

  1. Upload your CA certificate(s) to ManageXR

  2. Duplicate your existing Wi-Fi network and give it a test nickname

  3. Open the duplicated network, select all of the CA Certificates in your chain from the CA Certificate dropdown, and click Save

  4. Create a new configuration by duplicating your current configuration and replace the Wi-Fi network with the test version

  5. Assign the new configuration to a single device to verify connectivity

  6. Once successful, add the CA certificate to your main Wi-Fi network and remove the test network and configuration

Troubleshooting CA Certificates

"Missing root certificate"

A CA certificate chain must include at least one root certificate. If you select only intermediate CA certificates, you will see a "missing root certificate" error. Please ensure your root certificate is uploaded, then select it from the dropdown to resolve this error.

"Missing certificate in chain"

All intermediate certificates in a CA certificate chain must be able to trace back to a root certificate. If you're missing a certificate in the chain, or if your intermediate and root CA certificates don't match, you will see a "missing certificate in chain" error. To resolve this, verify you have uploaded all certificates in the chain—including any intermediate certificates between your root and end-entity certificate—and ensure they are from the same certificate authority.

Can I use dummy values for Android 13 devices?

No. Valid domain and CA certificate details are required for secure connections. Using proper values ensures compatibility with all devices (including when Android 13 devices update to Android 14) and protects against Man-in-the-Middle attacks where someone could impersonate your RADIUS server to steal credentials or certificates.

Deploying Self-Signed CA Certificates for Content Filtering

Use this section only if devices connect to Wi-Fi but cannot communicate with the internet.

This issue typically occurs when your network uses a content filtering system or reverse proxy that performs SSL inspection (a legitimate Man-in-the-Middle attack). Devices don't trust this additional certificate by default and refuse to send traffic.

A content filtering system monitors all outgoing traffic and forwards it to the internet according to your organization's policies. To do this, it intercepts encrypted traffic—which looks like a security threat to devices. The solution is to install your content filtering system's certificate at the device level so all applications can trust it.

Deployment Steps

  1. Confirm with your administrator that your network uses a content filtering system or reverse proxy

  2. Work with your administrator to obtain the certificate file (formatted as .pem, .crt, or .cer)

  3. Upload your CA certificate(s) to ManageXR

  4. Duplicate your existing Wi-Fi network and give it a test nickname

  5. Open the duplicated network, and scroll to the "Content filtering setup" section at the bottom of the page

  6. Select the relevant CA Certificates from the CA Certificate dropdown, then click Save

  7. Create a new configuration by duplicating your current configuration and replace the Wi-Fi network with the test version

  8. Assign the new configuration to a single device to verify connectivity

  9. Once successful, add the CA certificate to your main Wi-Fi network and remove the test network and configuration

Troubleshooting Self-Signed CA Certificates

Devices connect to Wi-Fi but still have no internet access

  • Confirm the certificate was added under Content Filtering Setup, not under the Authentication section

  • Ensure the new configuration and Wi-Fi network has synced to your device. This may require a provisioning network if you do not yet have Wi-Fi through your chosen network

  • Verify the configuration and Wi-Fi network containing the content filtering certificate is actively assigned to the device

  • Reboot the device after deployment to ensure the certificate is loaded into the system trust store

Related Articles
Configure Wi-Fi Network Profiles
Enterprise Network Certificates: What Are They and What Are They Used For?
Device Alerts
Network Deployment Guide
ManageXR Network Connectivity Test
Did this answer your question?