cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
388
Views
0
Helpful
13
Replies
Beginner

CA Certs for 5520

Our existing 5508 wlcs have "othIpsecCaCert" for IPSec and "bsnSslEapCaCert" for EAP Certificates. Our HA Pair of 5520 show nothing in the "security, advanced, Vendor Certs" area. Just blank. How do I get these created?

Running 8.5.140.0 

13 REPLIES 13

Re: CA Certs for 5520

Hi @craigshawm6,

 

The configuration is same as other models and versions. Please refer this for Local EAP

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
Beginner

Re: CA Certs for 5520

I have everything set, except it gives me an error for installing the IPsec CA certificate. The other 3 installed and worked just fine. IPSEC Device, EAP Device, and EAP CA worked great. Just the IPSec CA won't upload/install. I've tried two different certs. I've ran OpenSSL as an administrator. Nothing is working for this last cert install.

 

OUTPUT BELOW:

TFTP IPSEC CA cert transfer starting.

TFTP receive complete... installing Certificate.

Error installing certificate.

 

Contributor

Re: CA Certs for 5520

before installing cert, can you enable debug transfer all enable and debug pm pki enable and install again and paste the debug output.

-Rate helpful posts-
Beginner

Re: CA Certs for 5520

(Cisco Controller) >debug transfer all enable

(Cisco Controller) >debug pm pki enable

(Cisco Controller) >*emWeb: Jun 07 09:35:23.142: [PA] file name=

*emWeb: Jun 07 09:35:23.142: [PA] total size=0

*TransferTask: Jun 07 09:35:23.142: [PA] Memory overcommit policy changed from 0 to 1

*TransferTask: Jun 07 09:35:23.142: [PA] RESULT_STRING: TFTP IPSEC CA cert transfer starting.

*TransferTask: Jun 07 09:35:23.142: [PA] RESULT_CODE:1

*TransferTask: Jun 07 09:35:27.157: [PA] TFTP: Binding to remote=172.21.30.136

*TransferTask: Jun 07 09:35:27.180: [PA] TFP End: 11686 bytes transferred (0 retransmitted packets)

*TransferTask: Jun 07 09:35:27.180: [PA] tftp rc=0, pHost=172.21.30.136 pFilename=./wlcIPSecCACert.pem
pLocalFilename=cert.p12

*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_STRING: TFTP receive complete... installing Certificate.

*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_CODE:13

*TransferTask: Jun 07 09:35:27.195: [PA] Adding cert (11594 bytes) with certificate key password.

*TransferTask: Jun 07 09:35:27.195: [PA] sshpmCheckCaCertBasicConsrtaints: CA Certificate basic constraint check failed at depth 0
*TransferTask: Jun 07 09:35:27.195: [PA] Add IPSEC CA certificate: Error checking basic constraints (verify: YES) IPSEC CA certificate chain
*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_STRING: Error installing certificate.


*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_CODE:12

*TransferTask: Jun 07 09:35:27.195: [PA] Memory overcommit policy restored from 1 to 0

Re: CA Certs for 5520

Hi @craigshawm6 ,

 

Ensure that certificate you're installing is having the complete chain.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
Beginner

Re: CA Certs for 5520

Not sure how to do that exactly. I followed the exact same process for the other 3 certs that were installed on the wlc. 

VIP Advocate

Re: CA Certs for 5520

If you open the certificate in a text editor, it should contain two or more ***BEGIN CERTIFICATE*** (or similar) areas. One for the root, zero or more for the intermediates and lastly the actual certificate.
Beginner

Re: CA Certs for 5520

I see three different "begin certificate" when I opened it in notepad. Each has it's corresponding "end certificate" as well. 

Highlighted

Re: CA Certs for 5520

Decode all by using https://www.sslshopper.com/certificate-decoder.html
Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
Beginner

Re: CA Certs for 5520

All three certs checked good on that link. Everything looks on the up and up. It just won't install. 

 

What will it affect not having the IPSec CA Cert installed? 

Beginner

Re: CA Certs for 5520

So what is the effect of not having the IPSec CA cert on the 5520? The other 3 certs, IPSec Device, EAP CA, and EAP Device, installed just fine. 

VIP Advocate

Re: CA Certs for 5520

Sorry I can't help you, never installed a cert on the Wlc.
Contributor

Re: CA Certs for 5520

sorry for the late reply.

The WLC uses IPSec to protect traffic to Radius server and syslog server.

you don't necessarily have to use it, but its off course recommended and I think its mandatory for CC compliance.

-Rate helpful posts-
CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards