https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/2700298#M6088 <P>Hi Wes ...</P> <P>Did you get the solution of this situation ? Now i m on the same situation .. can u please guide ,me on the same please ??</P> Thu, 28 Apr 2016 10:51:56 GMT saror0001 2016-04-28T10:51:56Z https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/2700296#M6086 <P>I am looking for some clarification before I go ahead and install/reboot my 5508 WLC pair.</P><P>The webauth certificate is about to expire so I have chained a new cert together. I have dual 5508s in HA mode and have uploaded the cert. I am now faced with a reboot.</P><P>However, I can't find any information online about updating certs within an HA pair, all I can find mentioning certs is in the "Configuring High Availability" section of the "Cisco Wireless LAN Controller Configuration Guide" which states "Certificates should be downloaded separately on each controller before they are paired." Does this still apply when WLCs are already in HA mode?</P><P>Has anyone here updated a cert within an HA pair and if so have you simply issued a reboot command when the cert is downloaded to the controller? Surely I don't have to break the pair apart to install the new cert on both then join together again?</P><P>Thanks in advance.</P><P>Wes</P> Mon, 05 Jul 2021 10:32:39 GMT https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/2700296#M6086 wesdouglas 2021-07-05T10:32:39Z https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/2700297#M6087 <P>Hi Wes,</P><P>This is a limitation in WLC HA. you have to install the certificates on both of&nbsp; the Controllers.</P><P>When you do the web auth certificate installation on WLC which is in HA pair, the cert will be pushed only on Primary Controller. After the fail over to secondary, the guest clients will receive the "certificate warning" until the primary takes over.</P><P>&nbsp;</P><P>Regards,</P><P>Divya</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 17 Jul 2015 07:04:43 GMT https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/2700297#M6087 Divya 2015-07-17T07:04:43Z https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/2700298#M6088 <P>Hi Wes ...</P> <P>Did you get the solution of this situation ? Now i m on the same situation .. can u please guide ,me on the same please ??</P> Thu, 28 Apr 2016 10:51:56 GMT https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/2700298#M6088 saror0001 2016-04-28T10:51:56Z https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/2700299#M6089 <P>The upload of the webauth certificate only happens on the active unit. Once the certificate has been uploaded for the first (primary) controller you need to reload <STRONG>only</STRONG> that unit so the secondary controller is going to be the active one. Wait for the HA set to be active again, upload the certificate again and reboot that<STRONG> </STRONG>unit as well. Once that reboot has been done HA is active again and you are done.<BR /><BR />If you do it this way there should be no impact, but personally I would still arrange a service-window just to make sure.<BR /><BR /><EM>Please rate useful posts... <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></EM></P> Sat, 14 May 2016 14:39:17 GMT https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/2700299#M6089 Freerk Terpstra 2016-05-14T14:39:17Z https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/2700300#M6090 <P>Device and root certificates are not automatically synced to the Standby controller. you have to manually break HA or make failover to apply on secondary.</P> Mon, 16 May 2016 01:41:33 GMT https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/2700300#M6090 mohanak 2016-05-16T01:41:33Z https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/3697687#M6091 <P>Hi all,</P> <P>&nbsp;</P> <P>Just to update on this one, though this post is very old.</P> <P>&nbsp;</P> <P><FONT color="#FF0000"><STRONG>Scenario:</STRONG></FONT></P> <P>=======</P> <P>Uploading new WebAuth cert for Cisco WLC 5520 HA pair and 5508 two standalone.</P> <P>&nbsp;</P> <P><STRONG><FONT color="#0000FF">Solution</FONT></STRONG></P> <P>=======</P> <P><U><STRONG>1) Standalone two 5508s were straightforward</STRONG></U></P> <P>&nbsp; &nbsp; &nbsp; &nbsp;a) upload the cert and</P> <P>&nbsp; &nbsp; &nbsp; &nbsp;b) reboot</P> <P><U><STRONG>2) HA pair 5580</STRONG></U></P> <P>&nbsp; &nbsp; &nbsp; a) upload cert on ACTIVE&nbsp;one first. This WLC would be one which is being accessed by default on the management interface. Cert will be pushed to the ACTIVE WLC first and ask for the reboot.</P> <P>&nbsp; &nbsp; &nbsp; b) reboot the WLC. In doing so, <STRONG><FONT color="#FF0000">HOT STANDBY</FONT></STRONG> will become<STRONG><FONT color="#008000"> ACTIVE</FONT></STRONG>. ( monitor the management&nbsp;interface via ping and you'll notice no ping lose)</P> <P>&nbsp; &nbsp; &nbsp; c) Monitor two WLCs via three Pings to see what is happening</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; i) continuous&nbsp;ping to the <STRONG>Management interface</STRONG></P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ii) continuous ping to the <STRONG>Redundancy Mgmt Interface</STRONG></P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; iii) continuous&nbsp;ping to the <STRONG>Peer Redundancy Mgmt Interface</STRONG></P> <P>&nbsp; &nbsp; &nbsp; d) When ACTIVE&nbsp;WLC is back through&nbsp;the ping let it settle down, then check the webAuth&nbsp;cert via CLI command <U><STRONG>'Show certificate webauth'</STRONG></U> on both WLCs</P> <P>&nbsp; &nbsp; &nbsp; e) now ACTIVE would be the one that was HOT STANDBY, this would still have the old cert. Upload the&nbsp;cert on to this one and reboot. While doing this you'll see no ping drop on 'Management Interface'</P> <P>&nbsp; &nbsp; &nbsp; f) After this WLC comes back it becomes HOT STANDBY, exactly the role it had before starting this exercise. Smooth isn't it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp; &nbsp; &nbsp; g) Check cert has been upload on both by above CLI command. <FONT color="#FF00FF">Happy days!</FONT></P> <P>&nbsp;</P> <P><FONT color="#000000">Kind regards,</FONT></P> <P><FONT color="#000000">B</FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 30 Aug 2018 08:52:40 GMT https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/3697687#M6091 Beacon Bits 2018-08-30T08:52:40Z https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/4024737#M6092 <P>Hi Beacon,</P><P>This information is very helpful,</P><P>Many thanks,</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 06 Feb 2020 08:04:58 GMT https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/4024737#M6092 Prkalavadia 2020-02-06T08:04:58Z https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/4081450#M6093 <P>With the HA pair running code level 8.3 (or higher) and self-generating the CSR file, can I load the same .pem file on both contollers in the pair?</P> Thu, 07 May 2020 18:41:47 GMT https://community.cisco.com/t5/wireless/updating-webauth-certificate-within-5508-wlc-ha-pair/m-p/4081450#M6093 brianalster 2020-05-07T18:41:47Z