cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community Live- Understanding How Multicast Works with Cisco

Certificate Signing Requests for WLC via Open SSL

9225
Views
5
Helpful
5
Comments

 

 

Introduction

 

Certificate Signing Requests for WLC via Open SSL

 

Solution

 

Use Open SSL to generate CSR. (Version 0.9.8r only!) The CSR Generation example document follows along with most of the steps

 

Generate a CSR

 

We also have a Video available on CSC which provides more in-depth information on this:-

 

(Video) Installing a 3rd Party SSL Certificate for Guest Access

 

Step 1

 

Download OpenSSL for Windows. Open source utility to generate the CSR and private key needed.

 

OpenSSL for Windowshttp://www.slproweb.com/products/Win32OpenSSL.html

 

Grab the 0.9.8(x) version after navigating from the OpenSSL download page. 0.9.8 is the only release compatible with performing these steps.

 

Step 2

 

Install OpenSSL (accept defaults, install 2008+ distributable if applicable)

 

Microsoft Visual C++ 2008 Redistributable Package (x86)

 

Step 3

 

From a Windows machine, openssl.exe will be located at "C:\OpenSSL\bin\" with a default installation.  Launch openssl.exe and issue the following command from the openssl> prompt

 

OpenSSL> req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

 

Step 3.a

 

If you receive any messages about being “unable to load config”, you will need to specify the full file path to the openssl.cfg file.

 

OpenSSL> req -config "%PATHTOOPENSSLCONFIG%" -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

 

For example, the config file (by default) is located in the OpenSSL program directory at "C:\OpenSSL\bin\openssl.cfg".  The string then looks like this.

 

OpenSSL> req -config "C:\OpenSSL\bin\openssl.cfg" -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

 

Step 4

 

Populate "extra" information as applicable.  Be sure to remember the "challenge password" you configure as it will be needed to combine the private key and signed/returned CSR to generate final .pem for the WLC. Be sure "Common Name" is what you populate with FQDN:  An example would be something like… controller.yourdomain.com

 

Step 5

 

This will generate the mykey.pem (key file) and myreq.pem (csr) at the location C:\OpenSSL\bin\

 

Step 6

 

Submit CSR (myreq.pem) to third-party CA, who will digitally sign and return via e-mail.  When submitting CSR to CA, you may be asked the "server technology" that is being used.  If that is the case, select "Apache". The same goes for SHA-1 or SHA-2 as 1 is the supported Hash Algorithm. If asked to specify, select SHA-1.

 

Step 7

 

When the CSR has been signed and returned. Save the file to the same C:\OpenSSL\bin directory

 

Step 8

 

See instructions on the page for combining a chained certificate in to one (1) .pem cert file.

 

Step 9

 

Perform the following commands in OpenSSL to combine the returned  CSR and key generated during the CSR request.

 

OpenSSL>pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:check123 -passout pass:check123

 

Step 9.a

 

be sure you use "challenge password" from before in this string and the next

 

OpenSSL>pkcs12 -in All-certs.p12 -out final-cert.pem -passin pass:check123 -passout pass:check123

 

Step 10

 

final-cert.pem will be generated, and will be the file we will TFTP to the WLC.

 

Step 11

 

Move .pem to default directory of TFTP server

 

Step 12

 

Issue the following commands at the WLC to inform the controller

of the type of download about to be performed

>transfer download mode tftp

>transfer download datatype webauthcert

>transfer download serverip <TFTP server IP address>

>transfer download path <absolute TFTP server path to the update file>

>transfer download filename final-cert.pem

>transfer download certpassword Test123

 

Step 12.a

 

Use "challenge password" from the CSR, same as before.

 

Step 13

 

Start TFTP transfer with

>transfer download start

 

Cert should now be successfully installed on the WLC. Please specify FQDN for the virtual ip address of WLC and make sure

that the DNS name is resolved to the virtual ip as well for clients of this network. Note in the config example states

 

"It is important that you provide the correct Common Name. Ensure that the host name that is used to create the certificate (Common Name)

matches the Domain Name System (DNS) host name entry for the virtual interface IP on the WLC and that the name exists in the DNS as well.

Also, after you make the change to the VIP interface, you must reboot the system in order for this change to take effect"

 

Go ahead and specify FQDN for the virtual interface on wlc then reboot WLC.  You should be ready to go at this point.

 

Reference

 

Generate CSR for Third-Party Certificates and Download Chained Certificates to the WLC

Installing a 3rd Party SSL Certificate for Guest Access

 

 

Comments
Beginner

Won't this still produce the "This certificate cannot be validated... " message when connecting? Is there any advantage to Open SSL over other methods?

Beginner

Step6 advises to give the CSR to the 3rd Party CA. this is what prevents the cert cannot be validated message.

Open SSL is a technology not a CA.

Beginner

For those who think this post is a joke; no my friends, this is real. That is how you would upload a public CA certificate (godaddy or whatever) to Cisco WLC. No joke. This is how company goes downhill!

Thank you for the post this is very helpful.

So happens im updating for guest anchor certs today on some WLC 4400.

 

 

Beginner

Question: on which stage I need to use SSL 0.9.8, if I already got the certificate? Can I just use it while converting CER bundle to PFX, or I had to start all the sequence from scratch?
+ Which parts of request are safe to publish here to discuss? Everything except private key or nothing at all?

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards