topic Re: C9800 WLC PKI Cert Renew Error in Wireless

C9800 WLC PKI Cert Renew Error

sajidabbas — Tue, 19 Sep 2023 22:00:22 GMT

Hi,

We have been receiving this error on our C9800-CL controller for some time now and not sure what it requires.

%PKI-2-CERT_RENEW_FAIL: Certificate renewal failed for trustpoint sdn-network-infra-iwan Reason : Failed to get ID certificate from CA server

Does anyone know what this might be related to. Currently our infrastructure and controller does not have any issues and this controller is managed by DNA Center.

Sajid

Re: C9800 WLC PKI Cert Renew Error

Mark Elsen — Wed, 20 Sep 2023 06:52:09 GMT

- Note sure if the feature is supported on 9800 controller ; in that context start with a checkup of the controller configuration with the CLI command show tech wireless ; feed the output into : https://cway.cisco.com/wireless-config-analyzer/

Some of these commands may provide insights :
show crypto pki certificates
show crypto pki timers
show crypto pki server

In the running-config , you can also enable : debug pki transaction and check logs

Also check current software version ; compare too : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214749-tac-recommended-ios-xe-builds-for-wirele.html

Re: C9800 WLC PKI Cert Renew Error

lrob5 — Wed, 27 Sep 2023 16:12:03 GMT

Same issue but our 9800-L is not managed by DNA

Re: C9800 WLC PKI Cert Renew Error

sroic — Wed, 15 May 2024 09:32:20 GMT

Just got the same alert on same setup, did you find the solution maybe?

Re: C9800 WLC PKI Cert Renew Error

jagan.chowdam — Wed, 15 May 2024 13:40:50 GMT

What is the DNA Center / Catalyst Center version?

Can you run the following command on WLC:

show telemetry internal connection

I see couple of bugs listed with exact same issue:

Jagan Chowdam

/**Pls rate useful responses**/

Re: C9800 WLC PKI Cert Renew Error

sroic — Wed, 15 May 2024 14:26:39 GMT

DNA version is 2.3.5.5-70026, WLC is 17.9.4.

This command doesnt exists at my WLC

show telemetry internal connection

I did run

show telemetry connection all

found an Index name and with:

show telemetry internal connection 1795 detail

I got this:

Telemetry protocol manager stats:

Con str : <DNA IP>:25103:0:<WLC IP>
Sockfd : 114
Protocol : tls-native
State : CNDP_STATE_CONNECTED
Table id : 0
Profile : sdn-network-infra-iwan
Version : TLSv1.2
Wait Mask :
Connection Retries : 0
Send Retries : 28
Pending events : 0
Session requests : 1
Session replies : 1
Source ip : <WLC IP>
Bytes Sent : 127922718617
Msgs Sent : 30681689
Msgs Received : 0
Creation time: : Tue May 7 21:31:49:64
Last connected time: : Tue May 7 21:31:49:251
Last disconnect time: :
Last error: :
Connection flaps: : 0
Last flap Reason: :
Keep Alive Timeouts: : 0
Last Transport Error : No Error

Re: C9800 WLC PKI Cert Renew Error

jagan.chowdam — Wed, 15 May 2024 16:34:46 GMT

The state is CNDP_STATE_CONNECTED, indicating that the connection was successfully established.

Check the status with the following commands

show crypto pki certificates verbose sdn-network-infra-iwan

show crypto pki trustpoint sdn-network-infra-iwan status

Re: C9800 WLC PKI Cert Renew Error

sroic — Thu, 16 May 2024 09:53:44 GMT

Hi @jagan.chowdam ,

this is my output of those commands, not sure what to think of it:

wlc-a#show crypto pki certificates verbose sdn-network-infra-iwan Certificate Status: Available Version: 3 Certificate Serial Number (hex): 56F2F3AD75229045 Certificate Usage: General Purpose Issuer: cn=sdn-network-infra-ca Subject: Name: wlc-a.eu-central-1.compute.internal cn=C9800-CL-K9_9B1KVTSUSVQ_sdn-network-infra-iwan hostname=wlc-a.eu-central-1.compute.internal Validity Date: start date: 10:24:16 UTC Jul 26 2023 end date: 10:24:16 UTC Jul 25 2024 renew date: 10:25:08 UTC May 16 2024 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Signature Algorithm: SHA512 with RSA Encryption Fingerprint MD5: EEBAE572 56F4D25C 0C73F2CB 7173D8A2 Fingerprint SHA1: 8594A177 49F0A75A 91727A16 3A811CB4 76C728E7 X509v3 extensions: X509v3 Key Usage: E0000000 Digital Signature Non Repudiation Key Encipherment X509v3 Subject Key ID: 85A02533 93720D11 A90E2DF2 6318C367 AEC0C990 X509v3 Basic Constraints: CA: FALSE X509v3 Authority Key ID: 88123ACC 7E0D37EB 38270C55 E1D3FD60 865322DF Authority Info Access: Extended Key Usage: Email Protection Client Auth Cert install time: 14:38:23 UTC Nov 19 2023 Associated Trustpoints: sdn-network-infra-iwan Storage: nvram:sdn-network-#9045.cer Key Label: sdn-network-infra-iwan Key storage device: private config CA Certificate Status: Available Version: 3 Certificate Serial Number (hex): 2B736CDA315062D2 Certificate Usage: Signature Issuer: cn=sdn-network-infra-ca Subject: cn=sdn-network-infra-ca Validity Date: start date: 13:33:20 UTC Jun 8 2022 end date: 13:33:20 UTC Jun 8 2037 Subject Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Signature Algorithm: SHA512 with RSA Encryption Fingerprint MD5: 30955623 ACFA56E3 725AE71A 01643551 Fingerprint SHA1: DC7569CF 2070926E 7293898D 0236AF85 B9161AEB X509v3 extensions: X509v3 Key Usage: 86000000 Digital Signature Key Cert Sign CRL Signature X509v3 Subject Key ID: 88123ACC 7E0D37EB 38270C55 E1D3FD60 865322DF X509v3 Basic Constraints: CA: TRUE X509v3 Authority Key ID: 88123ACC 7E0D37EB 38270C55 E1D3FD60 865322DF Authority Info Access: Cert install time: 14:38:23 UTC Nov 19 2023 Associated Trustpoints: sdn-network-infra-iwan Storage: nvram:sdn-network-#62D2CA.cer wlc-a#show crypto pki trustpoint sdn-network-infra-iwan status Trustpoint sdn-network-infra-iwan: Issuing CA certificate configured: Subject Name: cn=sdn-network-infra-ca Fingerprint MD5: 30955623 ACFA56E3 725AE71A 01643551 Fingerprint SHA1: DC7569CF 2070926E 7293898D 0236AF85 B9161AEB Router General Purpose certificate configured: Subject Name: cn=C9800-CL-K9_9B1KVTSUSVQ_sdn-network-infra-iwan,hostname=wlc-a.eu-central-1.compute.internal Fingerprint MD5: EEBAE572 56F4D25C 0C73F2CB 7173D8A2 Fingerprint SHA1: 8594A177 49F0A75A 91727A16 3A811CB4 76C728E7 Last enrollment status: Failed Next enrollment attempt: 10:25:08 UTC May 16 2024 * A new key will be generated * * Configuration will not be saved after enrollment * State: Keys generated ............. Yes (General Purpose, non-exportable) Issuing CA authenticated ....... Yes Certificate request(s) ..... Yes

Any ideas are welcome

Re: C9800 WLC PKI Cert Renew Error

jaheshkhan — Mon, 20 May 2024 12:50:26 GMT

Did your issue solved ? i faced the same problem now? can you provide the remediation if the issue got solved?

Re: C9800 WLC PKI Cert Renew Error

sroic — Mon, 20 May 2024 12:56:00 GMT

Hi @jaheshkhan ,

I needed to select WLC from Inventory page in DNAC and update telemetry settings using force config push option. Seems this issue occurs after DNAC update

Re: C9800 WLC PKI Cert Renew Error

jaheshkhan — Mon, 20 May 2024 14:16:32 GMT

in my case status is active and connection is up.

but last fingerprint is showing as failed. similarly like you. so can i try your steps then?

Re: C9800 WLC PKI Cert Renew Error

sroic — Mon, 20 May 2024 14:25:49 GMT

Sounds pretty similar to outputs that I pasted above. I don't work at TAC but I believe you can 🙂

Re: C9800 WLC PKI Cert Renew Error

tpense — Tue, 23 Jul 2024 09:56:03 GMT

I am facing the same issues. Is the solution you found interfering the Wifi-Experience of the User or can this be done "hitless"?

Thanks in advance.

Re: C9800 WLC PKI Cert Renew Error

sroic — Tue, 23 Jul 2024 10:49:31 GMT

For me it wasn't interfering with anything on the wifi side

Re: C9800 WLC PKI Cert Renew Error

krsmith — Mon, 25 Nov 2024 18:26:14 GMT

This worked for me as well (On Cat 9300 switches), in inventory > actions > telemetry > update telemetry settings, need to select force push config and it renewed the expired cert for me as well.

For some reason this isn't documented anywhere I could find, unless my google-fu is getting worse

Re: C9800 WLC PKI Cert Renew Error

niwirtz — Fri, 03 Jan 2025 14:45:14 GMT

The sdn-network-infra-iwan certificate and associated trust point is a Cisco Catalyst Center (formerly known as Cisco DNA Center) pushed certificate as part of establishing the telemetry connection with the applicable device. When we see the below error, this means that renewal of the client cert fails due to the inability to retrieve and identity cert from the CA.

%PKI-2-CERT_RENEW_FAIL: Certificate renewal failed for trustpoint sdn-network-infra-iwan Reason : Failed to get ID certificate from CA server

The CA in this instance is either Catalyst Center or a configured external SCEP broker which can be verified under the Menu > System > Settings > Certificate Authority (as seen in 2.3.7.x versions). Often, the cause for the renewal failure is due to a connectivity issue with the enrollment URL reachability. To find evidence of this, first verify the enrollment URL in the sdn-network-infra-iwan trustpoint:

crypto pki trustpoint sdn-network-infra-iwan
enrollment url http://<your_FQDN/IP>:80/ejbca/publicweb/apply/scep/sdnscep

Then, in the logs, you might be able to find a connectivity issue to the shared FQDN within that URL. For example:

%PKI-3-HOSTNAME_RESOLVE_ERR: Failed to resolve HOSTNAME/IPADDRESS :<your_FQDN/IP>

The earlier shared debugging commands ran during an auto-enrollment should give you more details if this is not the cause of the certificate renewal failure. There are many other possible causes of auto-renewal failure on either the client or server side.

Re: C9800 WLC PKI Cert Renew Error

derobert87 — Mon, 03 Mar 2025 11:23:26 GMT

Hi All,
we just had this problem that after DNA reboot we lost telemetry on our devices. Turned out that DNA wanted to refresh certs on the devices but was failing because it could not call enrollment url

%PKI-3-PKCS12_IMPORT_FAILURE: PKCS #12 import failed for trustpoint: sdn-network-infra-iwan. Reason: Failed to read PKCS12 from url: https://10.1.2.3/api/v1/trust-point/pkcs12/xxxyyyzzz

So you can see that it uses IP address and not FQDN name of our DNA appliance (and we have system certificate with FQDN imported).

So what TAC suggested was to generate system certificate again but this time add this IP address to SAN field, so there are both FQDN and IP entries.

I uploaded new system cert, DNA was able to refresh certs on devices and telemetry is working again. I hope this helps someone.

Re: C9800 WLC PKI Cert Renew Error

Chandan Singh — Mon, 18 Aug 2025 12:50:26 GMT

1. Manually remove the “sdn-network-infra-iwan” certs from the WLC and save the configuration:
config t
no crypto pki trustpoint sdn-network-infra-iwan
end
wr
2. Re-sync the device from DNAC inventory:
a. Inventory > Select the WLC > Actions > Inventory > Resync Device
3. Once completed, do a force configuration push from DNAC:
a. From the inventory, select the WLC once > Actions > Telemetry > Update Telemetry Settings > Ensure "Force Configuration Push" is selected and click Next until completed.

you will get this certificate again from dnc after synic.

Re: C9800 WLC PKI Cert Renew Error

Chandan Singh — Tue, 19 Aug 2025 03:57:01 GMT

I am also facing the same issue on the 9800 WLC, and I resolved it with the steps below.

Manually remove the “sdn-network-infra-iwan” certs from the WLC and save the configuration:

config t

no crypto pki trustpoint sdn-network-infra-iwan

end

Re-sync the device from DNAC inventory:

Inventory > Select the WLC > Actions > Inventory > Resync Device

Once completed, do a force configuration push from DNAC:

From the inventory, select the WLC once > Actions > Telemetry > Update Telemetry Settings > Ensure "Force Configuration Push" is selected and click Next until completed.

Re: C9800 WLC PKI Cert Renew Error

craiglebutt — Fri, 19 Sep 2025 07:35:52 GMT

Did this require a reboot?

Cheers