topic Re: Cisco 5520 WLC WebAdmin Cert in Wireless

Cisco 5520 WLC WebAdmin Cert

Chris Terry — Wed, 15 Feb 2023 17:42:13 GMT

I'm trying to install a WebAdmin cert for a Cisco WLC 5520 version 8.5.151.

I generated the CSR via CLI and had it signed. I uploaded the .pem file to the controller. It's returning a certificate error of NET::ERR_CERT_COMMON_NAME_INVALID when visiting the webadmin login page. I entered the FQDN in the common name when I generated the CSR, and the FQDN is in DNS and resolves.

Is there something that would fix this issue?

Re: Cisco 5520 WLC WebAdmin Cert

Mark Elsen — Wed, 15 Feb 2023 17:55:54 GMT

- FYI : https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/215425-troubleshoot-certificate-installation-on.html

Re: Cisco 5520 WLC WebAdmin Cert

jagan.chowdam — Wed, 15 Feb 2023 21:28:42 GMT

Once certificate installed, did you reboot the controllers?

Have you updated your DNS with the entry of the information on the Virtual interface?

/*Please rate all useful responses*/

Re: Cisco 5520 WLC WebAdmin Cert

Chris Terry — Wed, 15 Feb 2023 22:36:01 GMT

Hi CJ,

Can you be more specific? Does there need to be a DNS entry for the virtual IP, or are you referring to the DNS Host Name field under the Virtual Interface settings? Will it be the same hostname that would be set for the management IP, or would it be a different name that would be included as a SAN in the cert?

Re: Cisco 5520 WLC WebAdmin Cert

Rich R — Thu, 16 Feb 2023 18:03:39 GMT

Generally speaking as long as you follow the instructions to the letter here https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html it should just work.
We don't use the WLC to generate the CSR - we use openssl.
Our DNS entry = CN = first SAN entry = WLC virtual hostname
And the DNS entry resolves to the WLC virtual IP.
That has worked reliably for us for years.

From the link above:
Note: It is important to provide the correct Common Name. Ensure that the host name that is used to create the certificate (Common Name) matches the Domain Name System (DNS) host name entry for the virtual interface IP address on the WLC and that the name exists in the DNS as well. Also, after you make the change to the Virtual IP (VIP) interface, you must reboot the system in order for this change to take effect.

Re: Cisco 5520 WLC WebAdmin Cert

Chris Terry — Tue, 28 Feb 2023 20:43:05 GMT

I was able get a working/valid cert. I had to use openssl. My certificate authority needed the SAN entry. Generating a CSR on the WLC doesn't have an option for SANs.

Re: Cisco 5520 WLC WebAdmin Cert

Scott Fella — Tue, 28 Feb 2023 21:04:50 GMT

Thanks for providing the solution. This helps the community and those whom run into the same issue.

Re: Cisco 5520 WLC WebAdmin Cert

pwaghmare — Thu, 21 Dec 2023 02:40:20 GMT

Hi Experts,

I had a a little bit different query but in connection to this topic itself.

So, in my case I was successfully able to apply third party CA signed cert on WLC 5520 and all works on https FQDN connection. CSR was generated with FQDN name in CN field via openssl. So, now https connection to WLC mgmt IP is non-cert checked session, and https to WLC FQDN is cert checked secure session. How to not allow https to WLC IP directly and cease it off post the WLC FQDN session works fine with third party CA signed cert.

Re: Cisco 5520 WLC WebAdmin Cert

Rich R — Thu, 21 Dec 2023 11:34:18 GMT

There's no easy way to that. It would require filtering the TLS header for the SNI field and allowing the FQDN SNI while dropping the IP SNI. But TLS 1.3 introduces encrypted SNI so eventually even that won't be possible but for today if you wanted to do that for 5520 that's how you would do it.

Otherwise you just need to educate your users or apply policy to their devices blocking access to the direct IP URL.