I'm having great difficulty trying to install a new SSL Certificate on a WAP4410N device. Whenever I try to upload the certificate (as a .pem file in Base64 DER format) I get the error message: "The certificate file is in bad format." I can open it fine via Windows and review the certificate properties as well as parse it with OpenSSL without issue. I've also tried both Windows and Unix line endings. The certificate was created via OpenSSL and signed by our CA and uses a 1024-bit RSA key w/ SHA-1. This is of the same form as the existing certificate on the device so ought to be entirely compatible.
I'm running the latest available firmware (v126.96.36.199) and have also taken a look at the Admin Guide but it contains only two short paragraphs of information none of which contains any details on the exact format required (and the information that is there appears to be completely wrong).
Any help would be greatly appreciated as to determining what could be causing the issue.
Here is response from support:
It’s regarding SR: 629251253.
In WAP440N it is not possible to install the external certificate.
Only exported file can be installed back to WAP4410N.
Thanks and Regards
Sutherland at Cisco
.:|:.:|:. CISCO | Network Engineer |Cisco Technical Support
Thanks a lot for reporting back! I find the response from Cisco TAC pretty puzzling however as my WAP4410N is using a custom SSL certificate right now. My problem is that it has expired since it was since uploaded and I am unable to replace it with a renewed certificate. The original upload was several years ago though so I can't even remember the exact process I used to install the original one (and the firmware version would also have been different). I guess if Cisco is unwilling to help/resolve the issue there's not much we can do but it feels like there's some level of miscommunication going on here as this was definitely possible in the past without any "hacks".
Yes I also think that Cisco is unwiling to help with this problem. Because we both know that importing custom SSL certificate is possible. Yes I had that luck as well one and half year ago with certificates signed with my own certification authority. But now I tried to replace certificate with new one (generated using EJBCA framework) but without any luck - I still get "The certificate file is in bad format." and I also asked here for help in my older - thread - but without any meaningful movement. No idea how way are you created your SSL certificates, but my old certificates was generated using openssl (all parts - key, request and sign).
And that's was the reason why I decided to open service request as we have nine pieces of this devices and we wanted to use valid certificates without any warnings during the web access from browser. And as you can see from TAC response there is no progress as well.
I think that something was changed in mechanism for importing SSL certificates in 188.8.131.52 because:
- on older versions there was not any error message, but instead the browser shows me connection error on WAP mainpage after I have click on "import certificate" and certificate was not imported.
- inside the filesystem new binary was added "/usr/sbin/check_cert" and according name it could be related to SSL import certificates mechanism.
but we are still missing requirements (or even detailed explanation of importing error - what is wrong with cert) for importing certificates and they are not documented at all.
Sounds like we're in pretty much the exact same scenario; I also imported a custom SSL certificate a couple of years ago that has since expired. The certificate, like yours, was generated via OpenSSL using similar parameters to the original certificate (to try and minimise potential incompatibilities) and was signed by a Microsoft CA server. At the time it was successfully uploaded and has worked perfectly ever since, but of course, now we're back to getting SSL warnings when accessing the device management page due to the certificate having expired.
I also noticed the check_cert binary that you mention, but it's completely undocumented, and the WAP4410N user guide and associated documentation might as well be for all the information it provides on the upload process. It's presumably possible to put the certificate in place via SSH to the device and the correct replacement of files and/or manipulation of the appropriate MTD device, but to be completely honest, I just don't have the time to do so right now and it doesn't feel like a worthwhile investment of effort given how long it's likely to take.
If Cisco isn't able or willing to help it sounds like there's not much we can do. I'll ultimately likely end up replacing the device in the not too distant future and I guess the lesson learned is to avoid their SMB range of hardware as when things go wrong the quality of support seems to leave a lot to be desired.
If you do manage to find a solution it'd be great if you could update the thread though as I'd definitely be interested!