The WLC doesn't support Level 3 chained certificates.
A certificate chain is a sequence of certificates, where each certificate in the chain is signed by the subsequent certificate. The purpose of certificate chain is to establish a chain of trust from a peer certificate to a trusted Certification Authority (CA) certificate. The CA vouches for the identity in the peer certificate by signing it. If the CA is one that you trust, which is indicated by the presence of a copy of the CA certificate in your root certificate directory, this implies you can trust the signed peer certificate as well.
Often, the clients do not accept the certificates because they were not created by a known CA. The client typically states that the validity of the certificate cannot be verified. This is the case when the certificate is signed by an intermediate CA, which is not known to the client browser. In such cases, it is necessary to use a chained SSL certificate or certificate group.
Support for Chained Certificate
In controller versions earlier than 184.108.40.206, web authentication certificates can be only device certificates and should not contain the CA roots chained to the device certificate (no chained certificates).
With controller version 220.127.116.11 and later, the controller allows for the device certificate to be downloaded as a chained certificate for web authentication.
Level 0—Use of only a server certificate on WLC.
Level 1—Use of server certificate on WLC and a CA root certificate.
Level 2—Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.
Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.
WLC does not support chained certificates more than 10KB size on the WLC. However, this restriction has been removed in WLC 18.104.22.168 and later releases.
Note: Chained certificates are supported for web authentication only; they are not supported for the management certificate.
Currently some of the major CA's (For example Go daddy and VeriSign ) have started providing Level 3 certificates and have stopped providing Level 2 certificate .
We have already opened a bug for the same and will be resolved in next coming releases. (No ETA available).
CSCtk65761: Need to fix Generate CSR for Third Party Chained certificate document .
VeriSign and Go Daddy, two of the most prominent certificate authorities are now using level 3 certs for all customers
using SSL certs. However the WLC does not support Level 3 certs as of now, going forward this would be an issue as
majority of our customers are using VeriSign for the third party certs on the WLCs
Please note that:-
- VeriSign has a work around in place right now where only Managed PKI SSL customers can
generate a CSR using the 'Old premium SSL" as their server instead of an Apache.
- This will generate a cert which would be like the old certificate with only one CA Intermediate
This work around is in place only for an year through VeriSign.
Video - Installing a 3rd Party SSL Certificate for Guest Access
Dear All,I have deployed cisco WLC 9800-L recently. APs have already joined with WLC and clients are also getting IP from the WLC as DHCP pool has been configured in WLC. But the problem is WLANs are frequently keep shifting, like the WLC is broadca...
Hello, I have been given a Cisco Business 240AC AP and want to set it up at home as a standalone AP to provide coverage upstairs. I do not have a controller, therefore, I'm confused about how to set it up. I connected the AP to a PoE ...
Hi all,I got 2 virtual C9800 controller on 16.12.2s.HA is configured which means they act as active passive.1) Is it possible to do an upgrade from 16.12.2s ED to recommended version 16.12.3 MD ?2) will there be any impact?3) will both controllers be upgr...
Hi, We have converted to autonomous using the latest ap3g2-k9w7-tar.153-3.JPJ3a.tar. But we can't get the web interface working. Had to 'ip http server' and created a user/password new user before I can get to the AP. However, instead of the usu...
Good day,I’ve been using an old Ruckus wireless AP. It’s served me well however the device is no longer supported i.e no further firmware updates.The AP is for a small office with few users. Any recommendations on a Cisco AP? Something simple will do. Rel...