topic Re: CA Certs for 5520 in Wireless

CA Certs for 5520

craigshawm6 — Mon, 05 Jul 2021 17:31:40 GMT

Our existing 5508 wlcs have "othIpsecCaCert" for IPSec and "bsnSslEapCaCert" for EAP Certificates. Our HA Pair of 5520 show nothing in the "security, advanced, Vendor Certs" area. Just blank. How do I get these created?

Running 8.5.140.0

Re: CA Certs for 5520

Sathiyanarayanan Ravindran — Thu, 06 Jun 2019 18:22:44 GMT

Hi @craigshawm6,

The configuration is same as other models and versions. Please refer this for Local EAP

Re: CA Certs for 5520

craigshawm6 — Fri, 07 Jun 2019 12:54:14 GMT

I have everything set, except it gives me an error for installing the IPsec CA certificate. The other 3 installed and worked just fine. IPSEC Device, EAP Device, and EAP CA worked great. Just the IPSec CA won't upload/install. I've tried two different certs. I've ran OpenSSL as an administrator. Nothing is working for this last cert install.

OUTPUT BELOW:

TFTP IPSEC CA cert transfer starting.

TFTP receive complete... installing Certificate.

Error installing certificate.

Re: CA Certs for 5520

Ambuj M — Fri, 07 Jun 2019 13:01:29 GMT

before installing cert, can you enable debug transfer all enable and debug pm pki enable and install again and paste the debug output.

Re: CA Certs for 5520

craigshawm6 — Fri, 07 Jun 2019 13:36:15 GMT

(Cisco Controller) >debug transfer all enable

(Cisco Controller) >debug pm pki enable

(Cisco Controller) >*emWeb: Jun 07 09:35:23.142: [PA] file name=

*emWeb: Jun 07 09:35:23.142: [PA] total size=0

*TransferTask: Jun 07 09:35:23.142: [PA] Memory overcommit policy changed from 0 to 1

*TransferTask: Jun 07 09:35:23.142: [PA] RESULT_STRING: TFTP IPSEC CA cert transfer starting.

*TransferTask: Jun 07 09:35:23.142: [PA] RESULT_CODE:1

*TransferTask: Jun 07 09:35:27.157: [PA] TFTP: Binding to remote=172.21.30.136

*TransferTask: Jun 07 09:35:27.180: [PA] TFP End: 11686 bytes transferred (0 retransmitted packets)

*TransferTask: Jun 07 09:35:27.180: [PA] tftp rc=0, pHost=172.21.30.136 pFilename=./wlcIPSecCACert.pem
pLocalFilename=cert.p12

*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_STRING: TFTP receive complete... installing Certificate.

*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_CODE:13

*TransferTask: Jun 07 09:35:27.195: [PA] Adding cert (11594 bytes) with certificate key password.

*TransferTask: Jun 07 09:35:27.195: [PA] sshpmCheckCaCertBasicConsrtaints: CA Certificate basic constraint check failed at depth 0
*TransferTask: Jun 07 09:35:27.195: [PA] Add IPSEC CA certificate: Error checking basic constraints (verify: YES) IPSEC CA certificate chain
*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_STRING: Error installing certificate.

*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_CODE:12

*TransferTask: Jun 07 09:35:27.195: [PA] Memory overcommit policy restored from 1 to 0

Re: CA Certs for 5520

Sathiyanarayanan Ravindran — Fri, 07 Jun 2019 13:46:12 GMT

Hi @craigshawm6 ,

Ensure that certificate you're installing is having the complete chain.

Re: CA Certs for 5520

craigshawm6 — Fri, 07 Jun 2019 13:49:39 GMT

Not sure how to do that exactly. I followed the exact same process for the other 3 certs that were installed on the wlc.

Re: CA Certs for 5520

patoberli — Fri, 07 Jun 2019 15:23:13 GMT

If you open the certificate in a text editor, it should contain two or more ***BEGIN CERTIFICATE*** (or similar) areas. One for the root, zero or more for the intermediates and lastly the actual certificate.

Re: CA Certs for 5520

craigshawm6 — Fri, 07 Jun 2019 15:26:44 GMT

I see three different "begin certificate" when I opened it in notepad. Each has it's corresponding "end certificate" as well.

Re: CA Certs for 5520

Sathiyanarayanan Ravindran — Fri, 07 Jun 2019 18:37:29 GMT

Decode all by using https://www.sslshopper.com/certificate-decoder.html

Re: CA Certs for 5520

craigshawm6 — Fri, 07 Jun 2019 19:02:07 GMT

All three certs checked good on that link. Everything looks on the up and up. It just won't install.

What will it affect not having the IPSec CA Cert installed?

Re: CA Certs for 5520

craigshawm6 — Mon, 10 Jun 2019 15:13:51 GMT

So what is the effect of not having the IPSec CA cert on the 5520? The other 3 certs, IPSec Device, EAP CA, and EAP Device, installed just fine.

Re: CA Certs for 5520

patoberli — Mon, 10 Jun 2019 16:14:38 GMT

Sorry I can't help you, never installed a cert on the Wlc.

Re: CA Certs for 5520

Ambuj M — Tue, 09 Jul 2019 05:15:06 GMT

sorry for the late reply.

The WLC uses IPSec to protect traffic to Radius server and syslog server.

you don't necessarily have to use it, but its off course recommended and I think its mandatory for CC compliance.