https://community.cisco.com/t5/wireless/adding-custom-root-issuer-pki-certificates-to-access-points-via/m-p/5363211#M288280 <P>Thank you Mark!<BR />Faton</P> Tue, 20 Jan 2026 10:08:37 GMT Faton-Shala 2026-01-20T10:08:37Z https://community.cisco.com/t5/wireless/adding-custom-root-issuer-pki-certificates-to-access-points-via/m-p/5363181#M288278 <P data-path-to-node="2"><STRONG data-path-to-node="2" data-index-in-node="0">Hi everyone,</STRONG></P> <P data-path-to-node="3">I am looking for some guidance on a specific PKI requirement for our Access Points managed by a <STRONG data-path-to-node="3" data-index-in-node="96">Cisco Catalyst 9800 WLC</STRONG>.<STRONG data-path-to-node="4" data-index-in-node="0">The Goal:</STRONG> I need to distribute and install an <STRONG data-path-to-node="4" data-index-in-node="46">additional Root and/or Issuer CA certificate</STRONG> onto the Access Points themselves.</P> <P data-path-to-node="5">Important Clarification:</P> <UL data-path-to-node="6"> <LI> <P data-path-to-node="6,0,0">I am not talking about the SCEP integration to distribute individual device certificates to the APs (that works fine).</P> </LI> <LI> <P data-path-to-node="6,2,0">The goal is specifically to get the Trusted Root/Chain onto the AP’s local truststore so it can validate external services (e.g., for specific authentication or secure syslog/telemetry scenarios).</P> </LI> </UL> <P data-path-to-node="7">My Question: Does anyone know the exact procedure or command set to push a custom CA certificate from the 9800 WLC to the joined APs? Is there a specific "AP Join Profile" setting or a TFTP/HTTP-based method that you have successfully used for this?</P> <P data-path-to-node="8">Any insights or documentation links would be greatly appreciated!<BR />Best regards,</P> <P data-path-to-node="9">Faton Shala</P> Tue, 20 Jan 2026 08:56:38 GMT https://community.cisco.com/t5/wireless/adding-custom-root-issuer-pki-certificates-to-access-points-via/m-p/5363181#M288278 Faton-Shala 2026-01-20T08:56:38Z https://community.cisco.com/t5/wireless/adding-custom-root-issuer-pki-certificates-to-access-points-via/m-p/5363208#M288279 <P>&nbsp;</P> <P>&nbsp; -&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1813917">@Faton-Shala</a>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; That cannot be done <FONT color="#FF0000"><EM>and it is <STRONG>unsupported</STRONG></EM></FONT></P> <P>&nbsp; M.</P> Tue, 20 Jan 2026 10:04:01 GMT https://community.cisco.com/t5/wireless/adding-custom-root-issuer-pki-certificates-to-access-points-via/m-p/5363208#M288279 Mark Elsen 2026-01-20T10:04:01Z https://community.cisco.com/t5/wireless/adding-custom-root-issuer-pki-certificates-to-access-points-via/m-p/5363211#M288280 <P>Thank you Mark!<BR />Faton</P> Tue, 20 Jan 2026 10:08:37 GMT https://community.cisco.com/t5/wireless/adding-custom-root-issuer-pki-certificates-to-access-points-via/m-p/5363211#M288280 Faton-Shala 2026-01-20T10:08:37Z https://community.cisco.com/t5/wireless/adding-custom-root-issuer-pki-certificates-to-access-points-via/m-p/5363231#M288281 <P>Thanks for sharing this guide; it’s really helpful to see a clear walk through for adding custom root CA certificates to access points. Steps like these make a big difference for admins trying to ensure secure connections without running into certificate trust issues, and it’s great to have practical, detailed instructions to follow.</P> Tue, 20 Jan 2026 11:38:43 GMT https://community.cisco.com/t5/wireless/adding-custom-root-issuer-pki-certificates-to-access-points-via/m-p/5363231#M288281 carlbidwell 2026-01-20T11:38:43Z