topic Re: Reloading 9800-CL after certificate renewal in Wireless

Reloading 9800-CL after certificate renewal

CDSFDSDXC — Mon, 06 Nov 2023 16:37:50 GMT

Hi, I have a pair of 9800-CL's in HA (17.9.3). A certificate expired recently for one of the SSID's which I've renewed and uploaded to the WLC. However the new certificate hasn't taken effect yet and it seems I need to reboot the WLC's for the new certificate to take over.

How do I reload each WLC independently so we don't lose any service as the reload command looks like it reloads both WLC's?

Many thanks.

Re: Reloading 9800-CL after certificate renewal

Mark Elsen — Mon, 06 Nov 2023 17:34:29 GMT

- CLI command redundancy force-switchover , will reboot the current controller (command executed on only)

Re: Reloading 9800-CL after certificate renewal

Rich R — Tue, 07 Nov 2023 15:35:21 GMT

There should not be any need to reload 9800-CL for certificate updates. In fact a reload will not change the config so won't solve your problem. What type of certificate did you change and what procedure did you follow?

Installing the certificate just creates a new PKI trustpoint. After that you need to tell the service (eg web auth or web admin) to use the new trustpoint:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html#toc-hId--466302648

Re: Reloading 9800-CL after certificate renewal

Ambuj M — Tue, 07 Nov 2023 15:39:35 GMT

Since its for SSID, I assuming its for local webauth, you just need to restart the http service and select the new trustpoint for webauth, see section local web authentication here

Re: Reloading 9800-CL after certificate renewal

CDSFDSDXC — Thu, 09 Nov 2023 14:20:22 GMT

Yes it's for WebAuth. I've tried running the below commands as per the guide:

9800(config)#no ip http server
9800(config)#ip http server

But the expiry dates haven't updated when I do a show crypto pki certificates .

Could the issue be that both the old and new certificates have the same name and it's getting confused between the two? Do I need to remove the expired cert before adding the new one?

Re: Reloading 9800-CL after certificate renewal

Rich R — Thu, 09 Nov 2023 16:24:31 GMT

It's think it's impossible to have 2 trustpoints with the same name - are you sure about that?
If you do have 2 with the same name then I guess it would be a good idea to delete the old one because it will probably just pick up the first one which may be the old one.
Did you configure the parameter map to use the new certificate trustpoint as per the guide?
You can delete the old cert/trustpoint after you've configured it to use the new one.

"But the expiry dates haven't updated when I do a show crypto pki certificates" - that sounds like you haven't even uploaded the new certificate. Whether you're using it or not it should still be there.
Really though you should be using "show crypto pki trustpoints" because it's the trustpoint that you configure on the parameter map, not the certificate.

parameter-map type webauth global
type webauth
trustpoint <trustpoint-name>.p12

Re: Reloading 9800-CL after certificate renewal

CDSFDSDXC — Tue, 14 Nov 2023 15:24:37 GMT

I've now updated the device certificate and I can see that it's in date. However there are two SSID's that use the certificate for Web Auth and only one has updated. When trying to log into these SSIDs from the users point of view one is still complaining about and expired certificate. The new certificate has been selected in Web Auth Global Parameter Map and the old certificate deleted from the Trustpoints list. Any ideas?

Re: Reloading 9800-CL after certificate renewal

Mark Elsen — Tue, 14 Nov 2023 16:34:11 GMT

- Have a checkup of the 9800-CL controller configuration with the CLI command show tech wireless ; feed the output into :
Wireless Config Analyzer

Re: Reloading 9800-CL after certificate renewal

Rich R — Tue, 14 Nov 2023 17:23:00 GMT

Does the other SSID use a custom parameter map that might be using the old trustpoint?
Or maybe you're extra an external web auth like ISE or 3rd party service?
If you deleted the old certificate then how could the WLC still be using the old cert?

Re: Reloading 9800-CL after certificate renewal

CDSFDSDXC — Fri, 06 Sep 2024 14:39:04 GMT

Apologies for the late reply, but it was because I hadn't installed the certificate on the guest anchor WLC!

Re: Reloading 9800-CL after certificate renewal

Scott Fella — Fri, 06 Sep 2024 15:02:05 GMT

Wow... that took a while:), but it's great to see folks post the answer as that will help others when they are searching for answers.