Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5987
Views
4
Helpful
11
Replies

Certificate install issue WLC DNA

Go to solution
glsparks
Level 1
Level 1

‎02-09-2024 07:05 AM

For some reason one of our pair of WLC 9800 will not accept DNAC-CA certificate.

A sync or push of telemetry from DNA fails. All our other devices are fine.

If we try a CLI import of the certificate we get this:

Trustpoint 'DNAC-CA' is a subordinate CA.
Authentication failed - could not validate certificate
% Error in saving certificate: status = FAIL

Any ideas why this is happening on this one device?

2 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
glsparks
Level 1
Level 1

‎02-13-2024 12:29 AM

Finally figured this out after some extensive debugging. Basically it was two issues. The WLC was unable to do a Certificate Revocation check and the full cert chain was not in the cert being uploaded. Once they were addressed it uploaded fine.

View solution in original post

Go to solution
glsparks
Level 1
Level 1
In response to Captain82

‎04-25-2024 12:04 AM

As I recall it i deleted the existing trustpoint DNAC-CA.

Recreated it with the line "revocation-check crl none" e.g.

crypto pki trustpoint DNAC-CA
enrollment mode ra
enrollment terminal
usage ssl-client
revocation-check crl none
source interface GigabitEthernet0

 

Then manually imported the full cert chain.

DNA error then cleared and telemetry came in.

View solution in original post

11 Replies 11

Go to solution
rasmus.elmholt
Level 7
Level 7

‎02-12-2024 02:18 AM

Do you have port http/80 open from the WLC to the DNAC?

0 Helpful

Go to solution
glsparks
Level 1
Level 1
In response to rasmus.elmholt

‎02-12-2024 02:48 AM

Yes the port is open. A debug isn't giving anything useful either unfortunately.

0 Helpful

Go to solution
LC.IT
Level 1
Level 1

‎02-12-2024 05:28 PM

Did you configure default aaa methods for authentication and authorization on C9800?

aaa authentication login default local (or group)
aaa authorization exec default local (or group)

0 Helpful

Go to solution
glsparks
Level 1
Level 1

‎02-13-2024 12:29 AM

Finally figured this out after some extensive debugging. Basically it was two issues. The WLC was unable to do a Certificate Revocation check and the full cert chain was not in the cert being uploaded. Once they were addressed it uploaded fine.

Go to solution
Captain82
Level 1
Level 1
In response to glsparks

‎04-24-2024 05:07 PM

How did you address/fix those issues?

0 Helpful

Go to solution
glsparks
Level 1
Level 1
In response to Captain82

‎04-25-2024 12:04 AM

As I recall it i deleted the existing trustpoint DNAC-CA.

Recreated it with the line "revocation-check crl none" e.g.

crypto pki trustpoint DNAC-CA
enrollment mode ra
enrollment terminal
usage ssl-client
revocation-check crl none
source interface GigabitEthernet0

 

Then manually imported the full cert chain.

DNA error then cleared and telemetry came in.

Go to solution
pwelmarcus
Level 1
Level 1
In response to glsparks

‎08-22-2024 11:39 AM - edited ‎08-22-2024 11:41 AM

Hi There, having a similar issue trying to chain an intermediate certificate to a root ca certificate 
I have a root, intermediate and device certificate signed by a CA
"

9800(config)#crypto pki trustpoint 9800-CSR <<< This is the trustpoint created with the CSR
9800(ca-trustpoint)#chain-validation continue RootCA <<< This is the trustpoint created above
9800(config)#crypto pki authenticate 9800-CSR

Enter the base 64 encoded CA certificate.
End with a blank line or the word "quit" on a line by itself

-----BEGIN CERTIFICATE-----
<Intermediate CA certificate> 
-----END CERTIFICATE--.

 

 

Did your fix involve adding all certificates (Eg root-ca, Intermediate and Device)

The document i'm following only mentions adding the intermediate CA certificate, The root CA cert was successfully imported and authenticated in a previous step

-----BEGIN CERTIFICATE-----
<Intermediate CA certificate> 
-----END CERTIFICATE-----



https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html#toc-hId--699023295

Thanks

0 Helpful

Go to solution
glsparks
Level 1
Level 1
In response to pwelmarcus

‎08-23-2024 12:14 AM

As I recall it was the full chain.

0 Helpful

Go to solution
rasmus.elmholt
Level 7
Level 7
In response to glsparks

‎09-04-2024 06:06 AM

As of the latest versions of the Catalyst Center software the revocation check none can now be configured using the GUI:

rasmuselmholt_0-1725455191336.png

 

Go to solution
bojarskic
Level 1
Level 1
In response to glsparks

‎10-02-2025 09:09 AM

You da man!  

0 Helpful

Go to solution
marinogr
Level 1
Level 1

‎08-08-2025 03:47 AM

It is very important the order of Chain cert  (RootCA->SubCA->Cert):

crypto pki authenticate DNAC-CA
-----BEGIN CERTIFICATE-----
RootCA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
SubCA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Cert
-----END CERTIFICATE-----
quit

Certificate has the following attributes:
Fingerprint MD5: "omitted"
Fingerprint SHA1: "omitted"

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
% Certificate successfully imported

0 Helpful
Customers Also Viewed These Support Documents