Inrtoduction

Wildcard Certificate installation on WLC.

What is a Wildcard certificate?

Wildcard certificate is obtained from CA's which can be installed on more than one servers.

Most of the times CA's give PFX file which includes full chain however when you convert these certificates to PEM file they do not have full chain most of the times instead have only server certificate with private key or without private key.

How to install Wildcard certificates on WLC?

• Convert PFX to PEM.

                      openssl> pkcs12 -in certificate.pfx -out certificate.cer -nodes

                      Note:- PEM is also a CER file so you can just change its extension in PC.

•  Now we have a PEM file which have Server Certificate and your private key so we do not need to add private key.

                      Note:- If you do not have private key then you can add it in last step.

• Add intermediate certificate and root certificate to form complete chain of trust between certificates(In PFX format it is not required as PFX have capability to have all of them)

                      Note:-The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx     and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

• Download the proper intermediate and root certificate from CA repository. In my case these were;

             Daddy Secure Certificate Authority - G2(Intermediate)

                     Daddy Root Certificate Authority - G2(Root)

• Add these in correct order in a notepad. I mean the pem file we created from PFX, open in notepad and add Intermediate below it. After that add root at bottom.

• Now convert this certificate using command below;

• openssl>pkcs12 -export -in All-certs.pem -out All-certs.p12 -clcerts -passin pass:yourpassword -passout pass:yourpassword

                      This converts .pem to .p12 format

                      Note:- If private key was not present use command given below;

                openssl>pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:yourpassword -passout pass:yourpassword

• openssl>pkcs12 -in All-certs.p12 -out final-cert.pem -passin pass:yourpassword -passout pass:yourpassword

                     This converts .p12 to pem again and adds password used while importing to WLC.

• Now you have file with complete chain that can be uploaded to WLC.

And for a normal certificate procedure remains same as mentioned in document;

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

#####################################################################

Please note certificate order should be correct otherwise most of the devices will display incorrect issuer chain certificate error.

Certificate order:-

Server certificate

Intermediate certificate

Root certificate

How to identify certificate order?

open final PEM file and check if you see all the certificates in order.

When you open certificate in Notepad you will see the certificate content.

You will see domain to which it was issued and who issued it.

#####################################################################

eg:-

subject=/OU=Domain Control Validated/CN=*.kamalwirelesslab.com

issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

Please check attachment to understand process mentioned below; 

Finalcert.txt

We can see issuer is Go Daddy Secure Certificate Authority - G2

issued to *.kamalwirelesslab.com (it’s a wildcard certificate)

when you see this its means its server certificate.

Now Go daddy secure certificate authority- G2 can be a root or intermediate.

How to identify?

For that we will need a certificate which show that either this CA issued certificate to itself or was issued by another CA.

From same certificate if we scroll down;

subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2

Great we are clear now it’s an intermediate certificate. How ?

Issuer and Subject are different thus now we need a certificate where subject will be issuer of above certificate.

Now let’s see if there is another intermediate or if chain is complete but surely we need another certificate till we get a certificate where issuer and subject are exactly same.

Now scroll down further in certificate;

subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2

issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2

Finally Root certificate.

This completes chain. And one more thing Private key should also be included.

############################################################################################

Hope it clears on how to identify root, intermediate and server certificate.

Some key points;

1) Older codes only supports SHA1. SHA2(also known as SHA256) will only work on codes 7.4 or above. For 7.0 train only 7.0.250.0 supports it.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_010111.html#d107066e41a1635

2) On older codes maximum certificate size is 10KB however after 7.0.230.0 they can be greater.

3) 7.6 will not allow incomplete certificate to be loaded.

4) Its recommended to use open SSL 0.9.8k however I used 0.9.8h and it worked fine. Also version 1.0 also works on latest codes but again not recommended.

I have attached Openssl 0.9.8h as attachment