topic How can I generate self signed 9800 WLC cert for web admin in Wireless

How can I generate self signed 9800 WLC cert for web admin

PythonUser777 — Tue, 07 Jun 2022 11:14:11 GMT

Hello people,

Does anyone how can I generate a self signed certificate on my Cisco 9800 WLC for web admin?

I'm using a 16.12.2s release and I can generate the RSA key pair with GUI or via CLI, but when I create the trustpoint and I set the rsa keypair plus the Subject name and other values it seems that the trustpoint it's empty:

My-9800-WLC# show crypto pki trustpoints
Trustpoint my-self-signed-cert:

The trustpoint it's configured like this:

My-9800-WLC(ca-trustpoint)#show
enrollment retry count 999
enrollment retry period 1
subject-name C=IT, ST=Italy, L=Milan, O=MyORG, OU=MyORG IT, CN=myorg.local
subject-alt-name myorg.local
revocation-check none
rsakeypair self-signed-key-test
hash sha1

How can I generate a self-signed certificate via CLI or GUI?

Thanks

Re: How can I generate self signed 9800 WLC cert for web admin

Flavio Miranda — Tue, 07 Jun 2022 12:52:43 GMT

Take a look here.

https://www.niap-ccevs.org/MMO/Product/st_vid11044-agd.pdf

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi62bDjr5v4AhV1upUCHU_WAKUQFnoECGMQAQ&url=https%3A%2F%2Fwww.niap-ccevs.org%2FMMO%2FProduct%2Fst_vid11044-agd.pdf&usg=AOvVaw0LJOVSQVZlNDVLulWyEKzs

Re: How can I generate self signed 9800 WLC cert for web admin

balaji.bandi — Tue, 07 Jun 2022 16:30:22 GMT

16.12.X code is bit old, suggest to upgrade to latest 17.3.3

follow below guide for certificate : ( same way you can sign local CA instead of 3rd party) - Hope that help you.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html

Re: How can I generate self signed 9800 WLC cert for web admin

Arshad Safrulla — Tue, 07 Jun 2022 18:58:54 GMT

As @balaji.bandi mentioned please upgrade your WLC to the latest Cisco TAC recommended code. You can find it here

Basically it depends on the AP model's registered to your WLC, if you have any Wave1 AP's latest recommended code is 17.3.5a CCO image + SMU, if you have all WiFi6 AP's then you can upgrade to 17.6.3.

If you have physical controller it is recommended that you upgrade the ROMMON to the latest recommended release as well.

If you are looking for Self signed certificate for CAPWAP between AP to WLC then follow the below;

● Delete the certificates which were copied along with the configuration. To do this, first check the existing certificates using the command “show crypto pki trustpoint”

● Delete the existing certificate authority “WLC_CA”: no crypto pki server WLC_CA

● Delete existing device certificates: no crypto pki trustpoint "<hostname>_WLC_TP"

● Create a new SSC for the management interface using the exec command: wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <password>

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#:~:text=register%20idtoken%20%3CTOKENID%3E-,There,-are%20extra%20considerations

If you need to install certificate in 9800 for any other purpose it is covered in the below article

Generate and Download CSR Certificates on Catalyst 9800 WLCs - Cisco