topic Re: WLC 2504: Web Auth certificate expires in Wireless

WLC 2504: Web Auth certificate expires

as00001111 — Mon, 05 Jul 2021 15:52:41 GMT

Hey all!

I'm using a wlc 2504. There is a third party signed (public signed) certificate for the guest portal.

Can someone tell me how to recreate that certifcate?

The current certificate is going to expire in a few days.

Thank you!

Re: WLC 2504: Web Auth certificate expires

Flavio Miranda — Wed, 18 Jul 2018 13:42:17 GMT

Take a look here:

https://supportforums.cisco.com/t5/wireless-mobility-videos/installing-a-3rd-party-ssl-certificate-for-guest-access/ba-p/3100316

-If I helped you somehow, please, rate it as useful.-

Re: WLC 2504: Web Auth certificate expires

as00001111 — Tue, 24 Jul 2018 08:01:32 GMT

Hi,

When I want do define a challenge password during the csr, I get: (openssl 0.9.8)

So I decided to do it without a challenge password.

But when I want to download my final-cert.pem into the wlc, I get that:

Can you help me?

Do I need a challenge password?

Re: WLC 2504: Web Auth certificate expires

Sandeep Choudhary — Tue, 24 Jul 2018 08:15:52 GMT

Please follow this posts:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

Regards

Dont forget to rate helpful posts

Re: WLC 2504: Web Auth certificate expires

as00001111 — Tue, 24 Jul 2018 09:42:52 GMT

I followed the guide and used Openssl 1.1.0

However, I still get that error:

Re: WLC 2504: Web Auth certificate expires

as00001111 — Tue, 24 Jul 2018 11:00:20 GMT

I get that in the debug log:

*TransferTask: Jul 24 12:50:56.055: sshpmAddWebauthCert: Extracting private key from webauth cert and using bundled pkcs12 password.

*TransferTask: Jul 24 12:50:56.066: sshpmDecodePrivateKey: private key decode failed...

*TransferTask: Jul 24 12:50:56.066: sshpmAddWebauthCert: key extraction failed.

*TransferTask: Jul 24 12:50:56.066: RESULT_STRING: Error installing certificate.

Re: WLC 2504: Web Auth certificate expires

patoberli — Tue, 24 Jul 2018 11:29:43 GMT

Which version of WLC code are you running?

Regarding the error message, it seems it can't decode the Private Key. Is it correctly attached to the PKCS12 file? Sometimes this needs to be enabled on the signing server.

Re: WLC 2504: Web Auth certificate expires

as00001111 — Tue, 24 Jul 2018 11:39:46 GMT

I'm running 8.0.110.0

Yes, it is attached.

Could the 2048 bits be a problem? Do I need 1024 bits?

Could the openssl version be a problem?

How many cert levels can I use? I got 2 Intermediate CAs and 1 Root CA

Re: WLC 2504: Web Auth certificate expires

patoberli — Tue, 24 Jul 2018 11:46:35 GMT

You are running a VERY old version of software on your controller. It's well possible that this version doesn't even support 2048 bit certificates or has a bug with them. In any case, I'd first upgrade to the latest 8.0 or better 8.2 or 8.5 (depending on what AP models you are using, some old models were dropped in 8.5 and I think 8.2).
There is also a second bug in your version that will not allow APs manufactured 2007 and older to connect anymore, because of another certificate issue.

Also check this:
https://community.cisco.com/t5/wireless-security-and-network/cannot-install-webauth-cert-on-5508-wlc/td-p/2924301
Do you have the Root and Intermediate certificates already installed? I think you first need to install those and then the final certificate.

Re: WLC 2504: Web Auth certificate expires

as00001111 — Tue, 24 Jul 2018 11:50:57 GMT

Do you have the Root and Intermediate certificates already installed? I think you first need to install those and then the final certificate.

No, I don't.

How can I install them?

I thought this is done by placing them into the cained certificate

Re: WLC 2504: Web Auth certificate expires

patoberli — Tue, 24 Jul 2018 11:52:43 GMT

Good question 🙂
Here another manual on how to chain them correctly:
https://knowledge.digicert.com/solution/SO25994.html
And here another way on how to chain:
http://www.my80211.com/cisco-wlc-cli-commands/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

So I actually think you have to correctly chain them. Also it seems 2048 bit should be supported.

Re: WLC 2504: Web Auth certificate expires

as00001111 — Tue, 24 Jul 2018 12:07:36 GMT

Or do you think I just have to upload the single server cert?

(unchained)

Re: WLC 2504: Web Auth certificate expires

patoberli — Tue, 24 Jul 2018 12:14:57 GMT

No, all manuals state the cert needs to be chained, correctly chained. You might need to check this in an editor (notepad++) and check if really the right certificate comes first in the file.

Re: WLC 2504: Web Auth certificate expires

as00001111 — Tue, 24 Jul 2018 12:27:51 GMT

okay.

I have already taken a look at both of these manuals.

Manual 1 describes to use a challenge password; manual 2 doesn't.

That's one point of confusion.

Point 2:

Since I got two intermediate ca's, my chain looks like that:

----BEGIN CERTIFICATE ----
‘Server certificate ’
---- END CERTIFICATE ----
---- BEGIN CERTIFICATE ----
‘Intermediate CA certificate’
---- END CERTIFICATE ----

---- BEGIN CERTIFICATE ----
‘Intermediate CA certificate’
---- END CERTIFICATE ----
---- BEGIN CERTIFICATE ----
‘Root CA certificate’
---- END CERTIFICATE ----

Edit: It worked, don't know what I did different now. But it works 😄

The cert created with openssl 0.9.8 and without a challenge password.

Thanks for your help!