Solved: Certificate install issue WLC DNA

glsparks · ‎02-09-2024

For some reason one of our pair of WLC 9800 will not accept DNAC-CA certificate.

A sync or push of telemetry from DNA fails. All our other devices are fine.

If we try a CLI import of the certificate we get this:

Trustpoint 'DNAC-CA' is a subordinate CA.
Authentication failed - could not validate certificate
% Error in saving certificate: status = FAIL

Any ideas why this is happening on this one device?

glsparks · ‎02-13-2024

Finally figured this out after some extensive debugging. Basically it was two issues. The WLC was unable to do a Certificate Revocation check and the full cert chain was not in the cert being uploaded. Once they were addressed it uploaded fine.

View solution in original post

glsparks · ‎04-25-2024

As I recall it i deleted the existing trustpoint DNAC-CA.

Recreated it with the line "revocation-check crl none" e.g.

crypto pki trustpoint DNAC-CA
enrollment mode ra
enrollment terminal
usage ssl-client
revocation-check crl none
source interface GigabitEthernet0

Then manually imported the full cert chain.

DNA error then cleared and telemetry came in.

View solution in original post

rasmus.elmholt · ‎02-12-2024

Do you have port http/80 open from the WLC to the DNAC?

glsparks · ‎02-12-2024

Yes the port is open. A debug isn't giving anything useful either unfortunately.

LC.IT · ‎02-12-2024

Did you configure default aaa methods for authentication and authorization on C9800?

aaa authentication login default local (or group)
aaa authorization exec default local (or group)

glsparks · ‎02-13-2024

Finally figured this out after some extensive debugging. Basically it was two issues. The WLC was unable to do a Certificate Revocation check and the full cert chain was not in the cert being uploaded. Once they were addressed it uploaded fine.

Captain82 · ‎04-24-2024

How did you address/fix those issues?

glsparks · ‎04-25-2024

As I recall it i deleted the existing trustpoint DNAC-CA.

Recreated it with the line "revocation-check crl none" e.g.

crypto pki trustpoint DNAC-CA
enrollment mode ra
enrollment terminal
usage ssl-client
revocation-check crl none
source interface GigabitEthernet0

Then manually imported the full cert chain.

DNA error then cleared and telemetry came in.

pwelmarcus · ‎08-22-2024

Hi There, having a similar issue trying to chain an intermediate certificate to a root ca certificate
I have a root, intermediate and device certificate signed by a CA
"

9800(config)#crypto pki trustpoint 9800-CSR <<< This is the trustpoint created with the CSR
9800(ca-trustpoint)#chain-validation continue RootCA <<< This is the trustpoint created above
9800(config)#crypto pki authenticate 9800-CSR

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
<Intermediate CA certificate> 
-----END CERTIFICATE--.

Did your fix involve adding all certificates (Eg root-ca, Intermediate and Device)

The document i'm following only mentions adding the intermediate CA certificate, The root CA cert was successfully imported and authenticated in a previous step

-----BEGIN CERTIFICATE-----
<Intermediate CA certificate> 
-----END CERTIFICATE-----

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html#toc-hId--699023295

Thanks

glsparks · ‎08-23-2024

As I recall it was the full chain.

rasmus.elmholt · ‎09-04-2024

As of the latest versions of the Catalyst Center software the revocation check none can now be configured using the GUI: