https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5077839#M9028 <P>How did you address/fix those issues?</P> Thu, 25 Apr 2024 00:07:34 GMT Captain82 2024-04-25T00:07:34Z https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5015566#M8426 <P>For some reason one of our pair of WLC 9800 will not accept DNAC-CA certificate.</P><P>A sync or push of telemetry from DNA fails. All our other devices are fine.</P><P>If we try a CLI import of the certificate we get this:</P><P>Trustpoint 'DNAC-CA' is a subordinate CA.<BR />Authentication failed - could not validate certificate<BR />% Error in saving certificate: status = FAIL</P><P>Any ideas why this is happening on this one device?</P> Fri, 09 Feb 2024 15:05:14 GMT https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5015566#M8426 glsparks 2024-02-09T15:05:14Z https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5016465#M8432 <P>Do you have port http/80 open from the WLC to the DNAC?</P> Mon, 12 Feb 2024 10:18:39 GMT https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5016465#M8432 rasmus.elmholt 2024-02-12T10:18:39Z https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5016484#M8435 <P>Yes the port is open. A debug isn't giving anything useful either unfortunately.</P> Mon, 12 Feb 2024 10:48:08 GMT https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5016484#M8435 glsparks 2024-02-12T10:48:08Z https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5016989#M8448 <P>Did you configure default aaa methods for authentication and authorization on C9800?</P> <P>aaa authentication login default local (or group)<BR />aaa authorization exec default local (or group)</P> Tue, 13 Feb 2024 01:28:15 GMT https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5016989#M8448 LC.IT 2024-02-13T01:28:15Z https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5017393#M8450 <P>Finally figured this out after some extensive debugging. Basically it was two issues. The WLC was unable to do a Certificate Revocation check and the full cert chain was not in the cert being uploaded. Once they were addressed it uploaded fine.</P> Tue, 13 Feb 2024 08:29:47 GMT https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5017393#M8450 glsparks 2024-02-13T08:29:47Z https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5077839#M9028 <P>How did you address/fix those issues?</P> Thu, 25 Apr 2024 00:07:34 GMT https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5077839#M9028 Captain82 2024-04-25T00:07:34Z https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5078036#M9036 <P>As I recall it i deleted the existing trustpoint DNAC-CA.</P><P>Recreated it with the line "revocation-check crl none" e.g.</P><P>crypto pki trustpoint DNAC-CA<BR />enrollment mode ra<BR />enrollment terminal<BR />usage ssl-client<BR />revocation-check crl none<BR />source interface GigabitEthernet0</P><P>&nbsp;</P><P>Then manually imported the full cert chain.</P><P>DNA error then cleared and telemetry came in.</P> Thu, 25 Apr 2024 07:04:52 GMT https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5078036#M9036 glsparks 2024-04-25T07:04:52Z https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5164653#M10036 <P>Hi There, having a similar issue trying to chain an intermediate certificate to a root ca certificate&nbsp;<BR />I have a root, intermediate and device certificate signed by a CA<BR />"</P><PRE>9800(config)#<STRONG>crypto pki trustpoint 9800-CSR &lt;&lt;&lt; This is the trustpoint created with the CSR</STRONG><BR />9800(ca-trustpoint)#<STRONG>chain-validation continue RootCA &lt;&lt;&lt; This is the trustpoint created above</STRONG><BR />9800(config)#<STRONG>crypto pki authenticate 9800-CSR<BR /></STRONG><BR />Enter the base 64 encoded CA certificate.<BR />End with a blank line or the word "quit" on a line by itself<BR /><BR /><STRONG>-----BEGIN CERTIFICATE-----</STRONG><BR /><STRONG>&lt;Intermediate CA certificate&gt; </STRONG><BR /><STRONG>-----END CERTIFICATE--. </STRONG></PRE><P>&nbsp;</P><PRE>&nbsp;</PRE><P>Did your fix involve adding all certificates (Eg root-ca, Intermediate and Device)<BR /><BR />The document i'm following only mentions adding the intermediate CA certificate, The root CA cert was successfully imported and authenticated in a previous step<BR /><BR /></P><PRE><STRONG>-----BEGIN CERTIFICATE-----</STRONG><BR /><STRONG>&lt;Intermediate CA certificate&gt; </STRONG><BR /><STRONG>-----END CERTIFICATE-----</STRONG></PRE><P><BR /><BR /><A href="https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html#toc-hId--699023295" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html#toc-hId--699023295</A><BR /><BR />Thanks</P> Thu, 22 Aug 2024 18:41:04 GMT https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5164653#M10036 pwelmarcus 2024-08-22T18:41:04Z https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5164854#M10040 <P>As I recall it was the full chain.</P> Fri, 23 Aug 2024 07:14:56 GMT https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5164854#M10040 glsparks 2024-08-23T07:14:56Z https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5170900#M10144 <P>As of the latest versions of the Catalyst Center software the revocation check none can now be configured using the GUI:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rasmuselmholt_0-1725455191336.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/227769iFB5721DA6180674C/image-size/medium?v=v2&amp;px=400" role="button" title="rasmuselmholt_0-1725455191336.png" alt="rasmuselmholt_0-1725455191336.png" /></span></P> <P>&nbsp;</P> Wed, 04 Sep 2024 13:06:40 GMT https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5170900#M10144 rasmus.elmholt 2024-09-04T13:06:40Z https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5318823#M13076 <P>It is<SPAN>&nbsp;</SPAN><STRONG>very important the order</STRONG><SPAN>&nbsp;</SPAN>of<SPAN>&nbsp;</SPAN><STRONG>Chain cert</STRONG>&nbsp; (RootCA-&gt;SubCA-&gt;Cert):</P> <P>crypto pki authenticate DNAC-CA<BR />-----BEGIN CERTIFICATE-----<BR /><STRONG>RootCA</STRONG><BR />-----END CERTIFICATE-----<BR />-----BEGIN CERTIFICATE-----<BR /><STRONG>SubCA</STRONG><BR />-----END CERTIFICATE-----<BR />-----BEGIN CERTIFICATE-----<BR /><STRONG>Cert</STRONG><BR />-----END CERTIFICATE-----<BR />quit</P> <P>Certificate has the following attributes:<BR />Fingerprint MD5: "omitted"<BR />Fingerprint SHA1: "omitted"</P> <P>% Do you accept this certificate? [yes/no]:<SPAN>&nbsp;</SPAN><STRONG>yes</STRONG><BR />Trustpoint CA certificate accepted.<BR />% Certificate successfully imported</P> Fri, 08 Aug 2025 10:47:01 GMT https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5318823#M13076 marinogr 2025-08-08T10:47:01Z https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5335490#M13460 <P>You da man! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> Thu, 02 Oct 2025 16:09:04 GMT https://community.cisco.com/t5/cisco-catalyst-center/certificate-install-issue-wlc-dna/m-p/5335490#M13460 bojarskic 2025-10-02T16:09:04Z