topic Problems loading a Certificate in Wireless

Problems loading a Certificate

Willem de Groot — Mon, 05 Jul 2021 10:16:28 GMT

Hi all,

My customer has generated a certificate following this document:

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

The key length is 2048 instead of 1024.

the Upload of the final file on a 5508 (7.6.110.0) ends in this message:„File transfer failed“.

in the Log he finds this:

„#UPDATE-3-CERT_INST_FAIL: updcode.c:2140 Failed to install certificate. rc = 2”

Does anybody has an idea what may be wrong here?

Thanks

Willem

What was used to create the

George Stefanick — Thu, 21 May 2015 13:29:11 GMT

What was used to create the CSR? If you used open SSL make sure you use a version less than 1.0v. If you did make sure you order the root, chain and device cert properly.

Hi Georgethe final-cert.pem

Willem de Groot — Thu, 21 May 2015 13:39:36 GMT

Hi George

the final-cert.pem looks like this.

Is this the correct order of the chain?

Ofcourse, I deleted the Certficates and change the customer name.

Bag Attributes
localKeyID: a hex key
subject=/C=CH/ST=a-State/L=a-Place/O=Customer AG/OU=IPM/CN=guest-wlan.Customer.com
issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
-----BEGIN CERTIFICATE-----
some text
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
issuer=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
-----BEGIN CERTIFICATE-----
some text
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
-----BEGIN CERTIFICATE-----
some text
-----END CERTIFICATE-----
Bag Attributes
localKeyID: a hex key
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,sometext

some text
-----END ENCRYPTED PRIVATE KEY-----

The exact same certificate

olivier.nicolas — Sun, 24 May 2015 18:39:35 GMT

The exact same certificate that was loading fine in 7.4.121.0 does not work any more in 7.6.130.0.

I had exactly the same issue.

serotonin888 — Mon, 01 Jun 2015 20:51:37 GMT

I had exactly the same issue. Was advised to downgrade the WLC from 7.6 to 7.4. Install cert and then upgrade back to 7.6. But hardly ideal....

The certificate bundle was

olivier.nicolas — Mon, 15 Jun 2015 13:42:26 GMT

The certificate bundle was working in 7.4 but installation of the same cert bundle fails in 7.6.

Enabling the PKI debug, shows the following error.

> debug pm pki enable
> transfer download start

TFTP receive complete... Installing Certificate.
*TransferTask: Jun 15 13:12:25.068: sshpmCheckWebauthCert: Verification return code: 0

*TransferTask: Jun 15 13:12:25.068: Verification result text: unable to get issuer certificate

*TransferTask: Jun 15 13:12:25.068: Error at 1 depth: unable to get issuer certificate

*TransferTask: Jun 15 13:12:25.075: sshpmAddWebauthCert: Error decoding certificate, Deleting it.

Error installing certificate.

AireOS 7.6 complains that the cert bundle does not contains the cert chain up to the root CA (depth 1 is the intermediate CA)

Until now (7.4), I didn't include the top level root and it was fine.

So, I add the top level root certificate to the cert bundle and restart the transfer successfully.

TFTP receive complete... Installing Certificate.
*sshpmLscTask: Jun 15 13:13:15.736: sshpmLscTask: LSC Task received a message 4
*TransferTask: Jun 15 13:13:40.245: sshpmCheckWebauthCert: Verification return code: 1
*TransferTask: Jun 15 13:13:40.245: Verification result text: ok
*TransferTask: Jun 15 13:13:40.254: sshpmAddWebauthCert: Extracting private key from webauth cert and using bundled pkcs12 password.
*TransferTask: Jun 15 13:13:42.361: sshpmDecodePrivateKey: calling ssh_skb_decode()...
*TransferTask: Jun 15 13:13:44.461: sshpmDecodePrivateKey: SshPrivateKeyPtr after skb_decode: 0x2c14d454
*TransferTask: Jun 15 13:13:44.461: sshpmAddWebauthCert: got private key; extracting certificate...
*TransferTask: Jun 15 13:13:44.466: sshpmAddWebauthCert: extracted binary cert; doing x509 decode
*TransferTask: Jun 15 13:13:44.466: sshpmAddWebauthCert: doing x509 decode for 1322 byte certificate...
*TransferTask: Jun 15 13:13:44.470: sshpmAddWebauthCert: freeing x509 certificate...
*TransferTask: Jun 15 13:13:44.470: sshpmAddWebauthCert: adding cert/key to id table; current/max: 5/7
*TransferTask: Jun 15 13:13:44.470: sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<
*TransferTask: Jun 15 13:13:44.470: sshpmGetIdCertIndex: found match in row 4
*TransferTask: Jun 15 13:13:44.470: sshpmAddWebauthCert: deleting bsnSslWebauthCert (row 4)
*TransferTask: Jun 15 13:13:44.471: sshpmAddWebauthCert: freeing cert (fn: 0x10c903c8).
*TransferTask: Jun 15 13:13:44.471: sshpmAddWebauthCert: freeing key (fn: 0x11d54e14).
*TransferTask: Jun 15 13:13:44.471: sshpmAddWebauthCert: adding new cert to row 4 (bsnSslWebauthCert).
*TransferTask: Jun 15 13:13:44.471: sshpmAddWebauthCert: writing cert to /mnt/application/bsnSslWebauthCert.crt
*TransferTask: Jun 15 13:13:44.471: sshpmWriteCredentialFile: called to write </mnt/application/bsnSslWebauthCert.crt>; certptr 0x2cd599c0, length 1322
*TransferTask: Jun 15 13:13:44.471: sshpmAddWebauthCert: exporting private key
*TransferTask: Jun 15 13:13:44.475: sshpmAddWebauthCert: writing key to /mnt/application/bsnSslWebauthCert.prv
*TransferTask: Jun 15 13:13:44.475: sshpmWriteCredentialFile: called to write </mnt/application/bsnSslWebauthCert.prv>; certptr 0x2cd58958, length 1192
*TransferTask: Jun 15 13:13:44.475: sshpmAddWebauthCert: Unlinking the previously created P12-PEM file webauth_p12.pem
*TransferTask: Jun 15 13:13:44.475: sshpmAddWebauthCert: Created File webauth_p12.pem

Certificate installed.
Reboot the switch to use new certificate.

Hi all,The problem is solved

Willem de Groot — Thu, 18 Jun 2015 11:54:32 GMT

Hi all,

The problem is solved!

Thawte has changed his root certificate even the old one was valid till 2020.

after getting the latest root certificate, the install worked, even on 7.6.110.0.

before using the new rootcertificate, using:

(Cisco Controller) >debug pm pki enable

we got the following output:

TFTP receive complete... Installing Certificate.
*TransferTask: Jun 18 09:54:13.276: sshpmCheckWebauthCert: Verification return code: 0

*TransferTask: Jun 18 09:54:13.276: Verification result text: unable to get issuer certificate

*TransferTask: Jun 18 09:54:13.276: Error at 2 depth: unable to get issuer certificate

*TransferTask: Jun 18 09:54:13.288: sshpmAddWebauthCert: Error decoding certificate, Deleting it.

Error installing certificate.

the at 2 depth can be due to a intermediate-CA in between

Thanks all

Willem (and Customer)

I ran in the same issue. The

alfred.thyri — Fri, 07 Jul 2017 09:17:15 GMT

I ran in the same issue. The chain bundle provided from Thawte seems to be wrong

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AR2051

After changing the root to the first one of this list, it worked for me

https://www.thawte.com/roots/Q

best regards

Alfred