I have everything set, except it gives me an error for installing the IPsec CA certificate. The other 3 installed and worked just fine. IPSEC Device, EAP Device, and EAP CA worked great. Just the IPSec CA won't upload/install. I've tried two different certs. I've ran OpenSSL as an administrator. Nothing is working for this last cert install.

OUTPUT BELOW:

TFTP IPSEC CA cert transfer starting.

TFTP receive complete... installing Certificate.

Error installing certificate.

before installing cert, can you enable debug transfer all enable and debug pm pki enable and install again and paste the debug output.

(Cisco Controller) >debug transfer all enable

(Cisco Controller) >debug pm pki enable

(Cisco Controller) >*emWeb: Jun 07 09:35:23.142: [PA] file name=

*emWeb: Jun 07 09:35:23.142: [PA] total size=0

*TransferTask: Jun 07 09:35:23.142: [PA] Memory overcommit policy changed from 0 to 1

*TransferTask: Jun 07 09:35:23.142: [PA] RESULT_STRING: TFTP IPSEC CA cert transfer starting.

*TransferTask: Jun 07 09:35:23.142: [PA] RESULT_CODE:1

*TransferTask: Jun 07 09:35:27.157: [PA] TFTP: Binding to remote=172.21.30.136

*TransferTask: Jun 07 09:35:27.180: [PA] TFP End: 11686 bytes transferred (0 retransmitted packets)

*TransferTask: Jun 07 09:35:27.180: [PA] tftp rc=0, pHost=172.21.30.136 pFilename=./wlcIPSecCACert.pem
pLocalFilename=cert.p12

*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_STRING: TFTP receive complete... installing Certificate.

*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_CODE:13

*TransferTask: Jun 07 09:35:27.195: [PA] Adding cert (11594 bytes) with certificate key password.

*TransferTask: Jun 07 09:35:27.195: [PA] sshpmCheckCaCertBasicConsrtaints: CA Certificate basic constraint check failed at depth 0
*TransferTask: Jun 07 09:35:27.195: [PA] Add IPSEC CA certificate: Error checking basic constraints (verify: YES) IPSEC CA certificate chain
*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_STRING: Error installing certificate.

*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_CODE:12

*TransferTask: Jun 07 09:35:27.195: [PA] Memory overcommit policy restored from 1 to 0

Hi @craigshawm6 ,

Ensure that certificate you're installing is having the complete chain.

Not sure how to do that exactly. I followed the exact same process for the other 3 certs that were installed on the wlc. 

I see three different "begin certificate" when I opened it in notepad. Each has it's corresponding "end certificate" as well. 

All three certs checked good on that link. Everything looks on the up and up. It just won't install. 

What will it affect not having the IPSec CA Cert installed? 

So what is the effect of not having the IPSec CA cert on the 5520? The other 3 certs, IPSec Device, EAP CA, and EAP Device, installed just fine. 

sorry for the late reply.

The WLC uses IPSec to protect traffic to Radius server and syslog server.

you don't necessarily have to use it, but its off course recommended and I think its mandatory for CC compliance.