Hi,
we have (at least I think so) the same scenario here in our network (the ctrlX CORE VIRTUAL is made available via <subdomain>.<domain>.tld) and for us it works.
We are currently improving the documentation on how to replace the web server certificate, because it is not intuitive. Let me describe how it works and how you can assign an individual certificate. Nevertheless, if you see (technical) issues with the way it is done please don't hesitate to say so - we are happy about feedback!
First of all - yes, the "Web Server" section under "Certificates & Keys" contains the certificates & keys for the device Web Server (to be precise: for the Reverse Proxy). There are two certificates (+ their corresponding keys) on the device:
- webserver_cert.pem / webserver_key.pem: Fallback certificate/key which ensures that you can always log in to the system by using the IP address. This prevents that you replace the certificate with an invalid / malformed one and lock your self out. You cannot delete or replace those files - both will be re-generated upon next boot and they will always contain the asterisk as a wildcard ("CN=*")
- webserver_custom_cert.pem / webserver_custom_key.pem: Those are the files that you want to replace when you issue a custom certificate. By default, those files use "CN=*" as well, but they can be replaced. Please note: They can be replaced, but they cannot be removed. They will be re-generated upon next start as well.
When you access the device via the URL, the Reverse Proxy checks whether the second certificate matches to the domain and uses the custom certificate.
Therefore, please try to to replace the *_custom* files with your individual key + certificate and restart the device. It should work.
As I said - we are currently working on improving the documentation and we are aware that it is not user-friendly (we are also working on that). But from a technical perspective, it should work. 🙂
Kind regards
