topic Thanks for your comments - I in Wireless

Cisco Wireless 5508 - Web authentication

deanshaw35 — Mon, 05 Jul 2021 09:03:25 GMT

I am attempting to load a Thawte third party certificate onto a WLC5508.

I used OpenSSL but for some reason the chained Certificate wouldn't load onto the WLC.

One of the documents I have used indicates the Cert should be Apache compatible with SHA1 encryption.

Unfortunately Thawte will not provide a Cert with less than SHA256

Can someone please advise me if SHA1 is still a requirement on the latest WLC 7.6 software?

SHA2 should be supportedhttps

Saurav Lodh — Tue, 02 Dec 2014 14:18:16 GMT

SHA2 should be supported

https://supportforums.cisco.com/document/102151/certificate-signing-requests-wlc-open-ssl

I don't know if this is your

George Stefanick — Tue, 02 Dec 2014 14:30:16 GMT

I don't know if this is your issue. When I used OpenSSL 1.x something it failed each time. I spent all day till I read this. I tried a lower rev and worked the first time ..

Again, not sure if this is your issue. But wanted to throw this in there ..

Install and open the OpenSSL application. In Windows, by default, openssl.exe is located at C:\ > openssl > bin.
Note: OpenSSL 0.9.8 is required as the WLC does not currently support OpenSSL 1.0.

Thanks for your comments - I

deanshaw35 — Tue, 02 Dec 2014 21:28:28 GMT

Thanks for your comments - I am using OpenSSL 0.9.8zc

The Certificate Authority is Thawte. The Cert option I selected was ApacheSSL but there was no option for SHA2 - only SHA256. I am trying a second time with a chained cert..Hopefully this time it will work.I am suprised at how difficult the process seems to be..

Sha2 includes SHA256 The SHA

George Stefanick — Tue, 02 Dec 2014 21:44:31 GMT

Sha2 includes SHA256

The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.

Thanks George - I didn't know

deanshaw35 — Tue, 02 Dec 2014 22:23:10 GMT

Thanks George - I didn't know that - much appreciated..

No worries .. If any of this

George Stefanick — Tue, 02 Dec 2014 22:53:21 GMT

No worries .. If any of this is helpful don't be afraid to support the rating system 🙂

HiWe are having the same

Olof Wiking — Sun, 07 Dec 2014 17:17:11 GMT

We are having the same problem. From what we have seen Thawte ended their support for SHA-1 30 october this year. We were told that if we wanted a sha-1 certificate we had to upgrade our account to enterprice at a higher cost.

Strangely enough we managed to install the certificate with sha-256 on some of our controllers with the software version 7.0.230.0. That was an older 4402 and a WISM1 blade.

On our 5508's with 7.6.120.0 it didn't work.

Its strange that Cisco doesnt have support for sha-256 since several webbrowser will stop their support of sha-1.

http://www.zdnet.com/article/google-accelerates-end-of-sha-1-support-certificate-authorities-nervous/

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

Below is a text from Thawtes website. Are there a way where we can use sha-1 for the root certificate and still use sha-256 for intermediate and device?

We recommend the default option, SHA-256 for the certificate and SHA-1 for the root CA, for most SSL certificate uses. Nearly all browsers and applications support the SHA-1 root CA, so most browsers and applications can connect to your site.

Note that using SHA-1 for the root CA is secure and compliant, because the root CA is verified by means other than the signature hash algorithm.