ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
Showing results for 
Search instead for 
Did you mean: 

Lightweight AP - Fail to create CAPWAP/LWAPP connection due to certificate expiration


Problem Description:

Due to the certificate expiration, any new Control and Provisioning of Wireless Access Points (CAPWAP) or Light Weight Access Point Protocol (LWAPP) connection will fail to establish. The main feature that is affected will be the Access Point (AP)-to-controller joining. The secondary feature that is affected will be new mobility connections between the controllers.

When an AP attempts to establish a new connection, the AP fails to join. When you configure mobility between controllers, they will fail to establish a connection.

The likelihood that this issue will be encountered is 100% for wireless products in use (to include APs and controllers) that have a Manufacturer Installed Certificate (MIC) that is older than ten years. Self-Signed Certificates (SSCs) that were generated by the Autonomous-to-lightweight Upgrade Tool will expire on January 1, 2020.

The affected products (listed in the Products Affected section) were released prior to the end of CY2005; beginning in March 2015, the products might begin to experience these symptoms.

Some Cisco CAPWAP based wireless solutions are reaching an age of 10 years from the date of manufacture. When this occurs CAPWAP DTLS tunnels will fail to be established because the certificates on CAPWAP based hardware has expired. The certificate installed in the wireless hardware is used to authenticate the devices when joining the network.

This issue is being tracked via Cisco defect ID: CSCuq19142 and via Field Notice 63942.

*Note: The MIC Lifetime has been documented in past via the Wireless LAN Controller (WLC) Design and Features FAQ at

Problem Symptom:

Wireless Access Points fail to connect to the Wireless LAN Controller. At the time of the join failure, the WLC's msglog may show messages similar to the following:

Jul 10 16:13:52.443 spam_lrad.c:6164 LWAPP-3-PAYLOAD_ERR: Join request does not contain valid certificate in certificate payload - AP 00:11:22:33:44:55

CAPWAP utilizes Datagram Transport Layer Security (DTLS) in order to encrypt communication between the Lightweight AP and the WLC. The MIC or SSC is used in order to authenticate the Lightweight AP to the WLC, and vice versa, during the DTLS session establishment. The CAPWAP/DTLS connection cannot be established after the MIC or SSC validity end date.


Affected Products:

Cisco Wireless LAN Controllers - FCS in 2011 or earlier:

Family / SW Type

Last Software Release



End of Sale Date

Last Date of Support (HW)

End of Sale Notice

2006 Series Wireless LAN Controller





2100 Series Wireless LAN Controller





4400 Series Wireless LAN Controller





Cisco Catalyst 3750G Integrated Wireless LAN Controller





Cisco Wireless Services Module 1 (WiSM1)





(Cisco 6-Access-Point Wireless LAN Controller Network Module)





NME-AIR-WLCx (Cisco Wireless LAN Controller Module (WLCM))






























Cisco Aironet Branded Lightweight Access Points - FCS in 2010 or earlier:

Family / SW Type

Last Software Release

FCS Date

End Of Sale Date

Last date of Support (HW)

End of Sale Notice

Cisco AP801 Integrated Access Point


26-Jun-08 (CISCO888W-GN-A-K9)

31/Mar/16 (C887VA-V-W-E-K9)


Cisco Aironet 1000 Series





Cisco Aironet 1040 Series





Cisco Aironet 1120 Series





Cisco Aironet 1130 Series





Cisco Aironet 1140 Series





Cisco Aironet 1200/1230 Series





Cisco Aironet 1240 Series





Cisco Aironet 1250 Series





Cisco Aironet 1260 Series





Cisco Aironet 1300 Series





Cisco Aironet 3500 series





*Note: For AP series whose FCS date is before 2005: APs started being manufactured with MICs on July 18, 2005.  Any Lightweight AP's that were manufactured prior to that date have SSCs.


Workaround prior to the fix being available:

If you believe you will be affected by this issue and need a fix before the official code with the associated correction is posted at, then please contact TAC, who will work to provide an escalation release of code accordingly.


Recovery for APs in a failed scenario:

*Note: This workaround should only be used in order to allow APs with expired certificates to join the WLC for long enough to upgrade the software.

If the certificates have expired, disable NTP, then change the WLC clock time to a recent earlier time when the certificates were still valid. If you set the clock back too far, newer APs may not be able to join. Once the software has been upgraded, and the affected APs have joined, the WLC clock should be reset to the valid time.

*Note: Temporarily disabling NTP and changing the WLC's time settings can adversely affect other time dependent WLC features such as MFP, SNMPv3, and location.



To allow additional usage of hardware, beyond the 10 year certificate date, Cisco is providing a software maintenance release with a feature to ignore the validity period of the certificates in the CAPWAP authentication process.

Maintenance releases with the feature to ignore the validity period of the certificates are being created for AireOS 7.0, 7.4 and 8.0.

Cisco has released the fix to in AireOS and

Cisco will release to a rebuild of AireOS 8.0 (as version before July 2015.

*Note: Cisco has a beta version of AirOS 8.0 MR2 that does contain the needed commands to work around this issue and can be used until the official AireOS 8.0 MR2 ( is released on, see the following URL for details:


These maintenance releases should be updated before the certificate expires on the APs and WLCs.

By default, if an AP and/or WLC certificate has expired, then the DTLS connection will fail. To allow AP's to join a WLC after certificate expiration, upgrade to the fixed software version, then use the following commands:

(WLC)>config ap lifetime-check {mic|ssc} enable

For and later:
(WLC)>config ap cert-expiry-ignore {mic|ssc} enable

With "config ap lifetime-check {mic|ssc} enable" or "config ap cert-expiry-ignore {mic|ssc} enable" in effect, the WLC and AP will ignore the expiration date on the devices' MICs and SSCs. The above-noted commands must remain in effect as long as devices with expired MIC or SSC certificates are used.

Because 4400 series WLCs that were among the first manufactured had both Airespace and Cisco MICs installed, with the Airespace MIC being given precedence by the WLC, and the fix for CSCuq19142 is only applicable for Cisco MICs,the currently available fix for CSCuq19142 may not work.  This is potentially applicable to most 4400s manufactured in 2005, and other variants, depending on RMA and refurbishment history of the affected unit.  Please see section "How to Identify Hardware Levels" for how to determine the date of manufacture. If the affected unit was refurbished, the SN may have changed with the MIC remaining the same. At present the only remedy is to disable NTP, then change the WLC clock time to a recent earlier time when the certificates were still valid. Contact TAC to get an escalation image with the fix, as per bug ID CSCuu02970.


How to Identify Certificate Expiration date:

(via CLI or Serial number or Python Script or WLCCA)

This section describes how to determine when your AP and WLC MICs and/or SSCs expire using show commands when available or via the device serial number.

1) Manufacturing Installed Certificates (MICs):

The serial number can be used to determine the approximate date when the MIC will expire.

The AP's MIC will expire, at the earliest, ten years past the date of manufacture. Please note, some APs may have more recently created MICs under some conditions. For example, if the AP's motherboard was manufactured and stored, but not assembled until some time later or if the AP was subject to RMA and a refurbishing process, etc.

To determine when the AP was manufactured, run this command on the WLC to find the AP SN:

(Cisco Controller) >show ap inventory all
Inventory for lap1130-sw3-9
NAME: "Cisco AP" , DESCR: "Cisco Wireless Access Point"
PID: AIR-LAP1131AG-E-K9, VID: V01, SN: FCZ1128Q0PE
NAME: "Dot11Radio0" , DESCR: "802.11G Radio"
NAME: "Dot11Radio1" , DESCR: "802.11A Radio"
The AP chassis SN is in the first section of the output, for example: PID:
AIR-LAP1131AG-E-K9, VID: V01, SN: FCZ1128Q0PE

See "Deriving manufactured date from serial number" section below.

Alternatively, the exact date the MIC expires can be found by running this command and looking for the "Certificate" entry; ignore "CA Certificate" entries. The "end date" associated with the "Validity Date" section is the expiration date for the MIC certificate:

AP_CLI#sh crypto pki certificates
CA Certificate
Status: Available...
Status: Available
Certificate Serial Number: 728AF4350000001E4C89
Certificate Usage: General Purpose
cn=Cisco Manufacturing CA
o=Cisco Systems
Name: C1130-001c58b5b3a4
o=Cisco Systems
l=San Jose
CRL Distribution Points:
Validity Date:
start date: 04:22:10 UTC Jul 11 2007
end date: 04:32:10 UTC Jul 11 2017
Associated Trustpoints: Cisco_IOS_MIC_cert

2) Self-Signed Certificates (SSCs):

In order to determine if you have an SSC, run this WLC command:

AP_CLI >show auth-list
AP with Self-Signed Certificate................ yes

All AP SSC's have an expiration date of January 1st, 2020.

3) Wireless LAN Controllers (WLCs):

You can determine the WLC's serial number by running this command:
WLC_CLI>show inventory

Burned-in MAC Address............................ 24:E9:B3:43:C4:E0
Maximum number of APs supported.................. 75
NAME: "Chassis" , DESCR: "Cisco 2500 Series Wireless LAN Controller"
PID: AIR-CT2504-K9, VID: V04, SN: PSZ17441ANT

To determine the WLC serial number via the GUI, navigate: Controller > Inventory

If you have AireOS 8.0 or later, to determine when the WLC certificate expires, run this command and look for the "Cisco SHA1 device cert":

WLC_CLI: show certificate all

Certificate Name: Cisco SHA1 device cert
Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT2504-K9-d0c282d65a20,
Issuer Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number :
Validity :
Start : 2011 Jul 26th, 20:17:17 GMT
End : 2021 Jul 26th, 20:27:17 GMT
Signature Algorithm :
Hash key :
SHA1 Fingerprint : 98:89:eb:12:2a:98:bc:fe:ad:5b:8f:23:63:0f:47:d1:36:ce:f5:be
MD5 Fingerprint : ba:f3:98:9a:cd:f8:01:08:84:b8:66:3c:6a:6c:d3:05

This command is not available in AireOS releases prior to 8.0. There is no similarly straightforward command to derive this date in earlier AireOS releases. As an alternate method, use the WLC serial numbers to determine the earliest possible MIC expiration date.

Deriving manufactured date from product serial numbers:
The serial number format is: "LLLYYWWSSSS"; where "YY" is the year of manufacture and "WW" is the week of manufacture. The date code can be found in the 4 middle digits of the serial number.

Manufacturing Year Codes:
01 = 1997 06 = 2002 11 = 2007 16 = 2012
02 = 1998 07 = 2003 12 = 2008 17 = 2013
03 = 1999 08 = 2004 13 = 2009 18 = 2014
04 = 2000 09 = 2005 14 = 2010
05 = 2001 10 = 2006 15 = 2011

Manufacturing Week Codes:
01-05 = January,   15-18 = April,      28-31 = July,              41-44 = October
06-09 = February,  19-22 = May,      32-35 = August,         45-48 = November
10-14 = March,      23-27 = June,     36-40 = September,   49-52 = December

Example: SN FCZ1128Q0PE has year code 11, meaning it was manufactured in the year 2007. The week code is 28, meaning it was manufactured in July of that year.


4) Access Point Certificate Check Tool:

A Python script has been written that runs on Windows, Mac and Linux systems that allows a user to check on the certificate expiration date for all AP's on their network. 

The following Cisco Support Forum's article explains how to access and run this tool:

            Access Point Certificate Check Tool - apCertCheck


5) Wireless LAN Controller (WLC) Config Analyzer:

WLCCA version 3.6.5 and above has support to check the AP Certificate expiration date.  This check is done based on the AP Serial number and will flag any AP needing checked based on if the AP serial number is within 60 days of expiration. 

The following Cisco Support Forum's article explains how to access and run this tool:

          WLC Config Analyzer

NOTE: Using the AP Serial number is only an approximation of the MIC expiration date.  Any AP's flagged by this method should always be check for the real MIC expiration date via the Access Point commands listed.


Community Member

This  is not for my place of work  but  private for my local church

We have a controller AIR-WLC2106-K9, serial number IMX1133K02U, running,

One of the AP (AIR-LAP1131AG-A-K9) has now dropped off the controller due to this very problem.

The WLC was bought off ebay ( as was the 4 APs)  and has been operational for the past 2 years. How can we get a firmware update to fix this problem ?


Hi Mkaholyw88,

I have the same problem as you, I bought 3 second hands LAP-1131AG for my lab and it's can't not register on VWLC anymore after the certified expired.

I tried to use on VWLC 7.4.150 the (WLC)>config ap cert-expiry-ignore {mic|ssc} enable feature but it's doesn't work.

Did you find out a solution or are you looking for yet?


Community Member

Hi, I didn't manage to get any updated firmware. I just changed the time

of the WLC back 2 years. Not ideal, but needed to maintain service.


Hi Mkaholyw88,

I discovered what certified was expired then I changed for that earlier date and it's working now, but I think that the new commands (config ap cert-expiry-ignore {mic|ssc} enable) introduced to solve this bug could work.

Thanks a lot for your attention.



I'm still using a 4402 and a 1252 in my lab, now i ran into the cert problem too.

My problem is that the workaround is not working, i updated the OS to , entered the commands but the AP does not join anymore, i have to set the time to 2014 then it works ?

*Dec 12 10:49:22.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246
*Dec 12 10:49:22.000: %CAPWAP-5-CHANGED: CAPWAP changed state to
*Dec 12 10:49:22.063: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 04C8BD) has expired. Validity period ended on 18:47:10 UTC Dec 11 2015
*Dec 12 10:49:22.067: %LWAPP-3-CLIENTERRORLOG: Peer certificate verification failed
*Dec 12 10:49:22.067: %CAPWAP-3-ERRORLOG: Certificate verification failed!
*Dec 12 10:49:22.067: DTLS_CLIENT_ERROR: ../capwap/capwap_wtp_dtls.c:352 Certificate verified failed!
*Dec 12 10:49:22.067: %DTLS-4-BAD_CERT: Certificate verification failed. Peer IP:
*Dec 12 10:49:22.067: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to

*spamReceiveTask: Dec 12 10:50:31.112: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer for AP 00:1b:d5:13:29:ac
*spamReceiveTask: Dec 12 10:49:33.819: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer for AP 00:1b:d5:13:29:ac

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version..................................
RTOS Version.....................................


Please see

Beginner didn't solve the problem. Problem is with SSC certs only.


I'm using 3pcs of AIR-WLC4404-100-K9 which time-bombs in few months. The "broken command" to ignore AP's CA expiry does not work (probably because "the mistake"). We have 11 APs here out-of-order now and only this "bug" shut them down. We are school and I see no reason to dump perfectly working APs (AIR-LAP1242AG). Majority of the students has no support for 802.11n or ac in their phones (we have 500 students with 500 online devices, only ~10% has something better than 2.4GHz G-band).

But also the WLC itself will stop working even the hardware is perfectly Ok!

I think it is illegal to sell things that stops working with no real reason... there is no security concern, only "the bussiness".

Cisco Employee

Why not just set your clock back to 2012 or so?


For example -because of MFP?

Cisco Employee

Not sure why having a clock set to 5 years in the past would present a problem with MFP.  First, client MFP never was really supported by anyone, so you can skip that.  Infra MFP would only know about AP and WLC time, and APs get time from the WLC, so if WLC is living in the past, the APs would be too, and they all should be happy.

Main problem with setting your WLC time to 2012 would be cert validity for devices other than the WLC and APs.  For example, if you are doing https on the WLC, then you would likely see cert validity problems on the client browser.


Hi Tim,

as you explained, the bug will also affect inter-controllers communications for mobility / anchoring.

Will the fix (upgrade to and command config ap lifetime-check {mic|ssc} enable) also fix the inter-controller issue? Just asking because the command specifically mentions config ap life-time .... so it looks like it will not provide a fix for connections to other controllers.

thank you,



I saw the same problem with SSC only on AIR-LAP1231G-E-K9 on  No reason to believe that would solve it, as the problem description is subtlely different.  I've just left the WISM WLC date back in 2015 and all working fine albeit with wrong date!


Which command can I use for connect old AP with bad certificate to WLC-2504?


i have the same problem recent days . my APs disconnected wlc one by one .and the APs has the log like below:

*Mar  1 00:00:07.717: %CDP_PD-4-POWER_OK: Full power - AC_ADAPTOR inline power source
*Mar  1 00:00:07.727: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C1130 Software (C1130-RCVK9W8-M), Version 12.3(11)JX1, RELEASE SOFTWARE (fc1)
Technical Support:
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Mon 17-Jul-06 11:38 by alnguyen
*Mar  1 00:00:08.668: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
*Mar  1 00:00:09.668: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
*Mar  1 00:00:26.736: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
*Mar  1 00:00:36.872: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address, mask, hostname AP0021.d847.dedc

*Mar  1 00:00:48.153: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
*Jun 16 01:59:28.019: LWAPP_CLIENT_ERROR_DEBUG:
*Jun 16 01:59:28.019: peer certificate verification failed
*Jun 16 01:59:28.020: LWAPP_CLIENT_ERROR_DEBUG: spamDecodeJoinReply : Certificate is not valid

*Jun 16 01:59:28.020: LWAPP_CLIENT_ERROR_DEBUG: Unable to decode join reply

*Jun 16 01:59:32.814: LWAPP_CLIENT_ERROR_DEBUG: spamHandleJoinTimer: Did not recieve the Join response

*Jun 16 01:59:32.814: LWAPP_CLIENT_ERROR_DEBUG: No more AP manager IP addresses remain.


and then , i disable the WLC ntp service and change the local time to 5 years ago , all my APs be available.

Content for Community-Ad

This widget could not be displayed.