topic Re: Problems uploading the whole certificate chain to cisco WLC in Wireless

Problems uploading the whole certificate chain to cisco WLC

unaiabrisketa — Mon, 14 Feb 2022 10:24:29 GMT

Hello,

I am trying to upload a certificate for web auth and I am having issues to see the whole chain when I prompt the show certificate webauth command. When I connect to the guest SSID I just see the device certificate and not the whole chain so the browser is not trusting the ssl certificate.

I think that it could be related with the the untrust for the intermediate CA. Does anybody know if there is an option to upload the intermediate CA certificate?

The device is a mobility express in 8.2.x version. Any other idea?

Thanks for support!

Re: Problems uploading the whole certificate chain to cisco WLC

Scott Fella — Mon, 14 Feb 2022 15:06:23 GMT

Did you bundle the pem file with the root, intermediate(s) and the device certificate? If so, you should see the chain properly when viewing the certificate on a browser. Take a look at this link:

Generate CSR for Third-Party Certificates and Download Chained Certificates to the WLC - Cisco

You can search the web for "cisco mobility express wlc 3rd party certificate"

Re: Problems uploading the whole certificate chain to cisco WLC

Rich R — Mon, 14 Feb 2022 15:11:19 GMT

8.2 is end of life. Even the end of life notice seems to have disappeared from Cisco web site!

https://www.cisco.com/c/en/us/products/collateral/wireless/wireless-controllers/bulletin-c25-738147.html#EarlyDeploymentEDreleases

Although Google still has a cached copy at the moment: https://webcache.googleusercontent.com/search?q=cache:xO77LjSGw_sJ:https://www.cisco.com/c/en/us/products/collateral/wireless/8500-series-wireless-controllers/bulletin-c25-742074.pdf+&cd=3&hl=en&ct=clnk&gl=uk

So I'd start by making sure you're on up to date supported software for a start:

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html#anc12

If you go to 8.10 you might need to go via 8.5 as an intermediate - depends what other APs you're supporting.

As for your certificate issue:

- I don't think loading the full cert chain will magically cause the browser to trust your cert - that really depends on the browser trusted root CAs, but entirely browser and OS dependent.

- If you follow the instructions for uploading your cert then you should be uploading the PEM file for the complete cert chain already?

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

I don't see any instructions specific to ME so I wonder if it is even supported on ME?

Re: Problems uploading the whole certificate chain to cisco WLC

unaiabrisketa — Mon, 14 Feb 2022 15:11:20 GMT

Hi Scott,

I have uploaded the whole chain in the same pem file with the private key, but I am not being able to see it when I saw the redirection of the cisco wireless controller. If I prompt the show certificate webauth command I don't see the whole chain, do you see a complete chain when you issue that command?

Could it be because of the lack of the intermediate certificate in the trust list of the Cisco WLC?

Regards,

Unai

Re: Problems uploading the whole certificate chain to cisco WLC

Scott Fella — Mon, 14 Feb 2022 15:15:42 GMT

The document doesn't state to upload the private key. So that tells me that the pem file you created is incorrect and doesn't follow how the certificate should be bundled.

Re: Problems uploading the whole certificate chain to cisco WLC

Rich R — Mon, 14 Feb 2022 15:22:22 GMT

@Scott Fella step 4 of Step 2 option B https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html#anc13 explains how to add the key in the final step before uploading the cert chain.

Re: Problems uploading the whole certificate chain to cisco WLC

Rich R — Mon, 14 Feb 2022 15:29:41 GMT

"show certificate webauth" does not show the full chain for me on WLC running 8.0, 8.5 or 8.10

And is working perfectly.

Re: Problems uploading the whole certificate chain to cisco WLC

Scott Fella — Mon, 14 Feb 2022 15:33:48 GMT

@Rich R I was making sure that the pem file when put together only has the certificates. and should look like the following. I have seen folks take a certificate chain and bundle it incorrectly. That option B could be skipped if option A was done properly. Only way to tell is if the cert was attached or if it looks like something below.

------BEGIN CERTIFICATE------
*Device cert*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA cert *
------END CERTIFICATE------

Re: Problems uploading the whole certificate chain to cisco WLC

patoberli — Tue, 15 Feb 2022 09:01:19 GMT

One small note. Depending on how you have joined the certificates, you sometimes have comments added between the lines

------END CERTIFICATE------
------BEGIN CERTIFICATE------

To check this, open the certificate in notepad++ and remove all comments between those lines and save it. Same goes for such comments at the top or bottom of the certificate.

Re: Problems uploading the whole certificate chain to cisco WLC

unaiabrisketa — Tue, 15 Feb 2022 16:06:34 GMT

Is there any way to check if the full chain is correctly uploaded? Can I connect to the virtual IP of the web auth?

I don't find the way to do that...

Re: Problems uploading the whole certificate chain to cisco WLC

Scott Fella — Tue, 15 Feb 2022 16:09:06 GMT

Why not try it and see. Firefox can show you the whole chain or else you have to view the certificate and see if the whole chain is there or not.

Re: Problems uploading the whole certificate chain to cisco WLC

unaiabrisketa — Wed, 16 Feb 2022 09:12:22 GMT

Hi Scott,

I don't have physical access to the AP, and logically, I don't have routes for the 192.0.2.1 IP address through my VPN connection. I have tried to upload it to the webadmin certificate, I have checked that the whole chain is uploaded, so it seems that it is now working correctly.

Regards,

Unai

Re: Problems uploading the whole certificate chain to cisco WLC

patoberli — Wed, 16 Feb 2022 12:31:56 GMT

Ah great. Otherwise if you have openssl around, you can use this command:

openssl s_client -connect host.host:9999

Simply adjust the hostname and port. You get either provided with just the server identity certificate or with the whole chain.

For example for www.cisco.com it looks like this:

openssl s_client -connect www.cisco.com:443
CONNECTED(00000003)
depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
verify return:1
depth=1 C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
verify return:1
depth=0 CN = www.cisco.com, O = Cisco Systems Inc., L = San Jose, ST = California, C = US
verify return:1
---
Certificate chain
 0 s:CN = www.cisco.com, O = Cisco Systems Inc., L = San Jose, ST = California, C = US
   i:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
 1 s:C = US, O = IdenTrust, OU = HydrantID Trusted Certificate Service, CN = HydrantID Server CA O1
   i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
 2 s:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
   i:C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
---

If it's showing more than one certificate at the top (like here with the three certificates) you have received the probably complete chain. Here the depth 2 is the root, depth 1 is the optional intermediate and depth 0 is the server identity certificate.

Re: Problems uploading the whole certificate chain to cisco WLC

Scott Fella — Wed, 16 Feb 2022 14:35:03 GMT

So what did you do to make it work?