cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


10984
Views
20
Helpful
6
Replies
Explorer

Upload pem file to WLC

Hello everyone,

I'm trying to complete the upload of a certificate for my controller, but I'm not getting an error message "Error installing certificate error"

The version of the controller is 4.2.176.0

The commands are :

transfer download mode tftp
transfer download datatype webauthcert
transfer download serverip 10.13.46.55
tracer download path /
transfer download filename file.pem

Follow the debugs on the problem, can someone help me?

(Cisco Controller) >transfer download start

Mode............................................. TFTP

Data Type........................................ Site Cert

TFTP Server IP................................... 10.13.46.55

TFTP Packet Timeout.............................. 6

TFTP Max Retries................................. 10

TFTP Path........................................ /

TFTP Filename.................................... file.pem

This may take some time.

Are you sure you want to start? (y/N) y

Wed Jan 13 15:48:56 2010: RESULT_STRING: TFTP Webauth cert transfer starting.

Wed Jan 13 15:48:56 2010: RESULT_CODE:1

TFTP Webauth cert transfer starting.

Wed Jan 13 15:48:59 2010: Still waiting!  Status = 2

Wed Jan 13 15:49:00 2010: Locking tftp semaphore, pHost=10.13.46.55 pFilename=/file.pem

Wed Jan 13 15:49:00 2010: Semaphore locked, now unlocking, pHost=10.13.46.55 pFilename=/file.pem

Wed Jan 13 15:49:00 2010: Semaphore successfully unlocked, pHost=10.13.46.55 pFilename=/file.pem

Wed Jan 13 15:49:00 2010: TFTP: Binding to local=0.0.0.0 remote=10.13.46.55

Wed Jan 13 15:49:00 2010: TFP End: 6435 bytes transferred (0 retransmitted packets)

Wed Jan 13 15:49:00 2010: tftp rc=0, pHost=10.13.46.55 pFilename=/file.pem

                                                                                                   pLocalFilename=cert.p12

Wed Jan 13 15:49:00 2010: RESULT_STRING: TFTP receive complete... Installing Certificate.

Wed Jan 13 15:49:00 2010: RESULT_CODE:13

TFTP receive complete... Installing Certificate.

Wed Jan 13 15:49:02 2010: Still waiting!  Status = 2

Wed Jan 13 15:49:04 2010: Adding cert (6383 bytes) with password "xxxxxx"

Wed Jan 13 15:49:04 2010: sshpmAddWebauthCert: extracting private key from webauth cert; pwd: <xxxxxx>.

Wed Jan 13 15:49:04 2010: sshpmDecodePrivateKey: private key decode failed...

Wed Jan 13 15:49:04 2010: sshpmAddWebauthCert: key extraction failed.

Wed Jan 13 15:49:04 2010: RESULT_STRING: Error installing certificate.

Wed Jan 13 15:49:04 2010: RESULT_CODE:12

Wed Jan 13 15:49:04 2010: ummounting: <umount /mnt/download/>  cwd  = /mnt/application

Wed Jan 13 15:49:04 2010: finished umounting

Thanks in advance.

Rafael

6 REPLIES

Re: Upload pem file to WLC

It sounds by the error message that you are trying to install a third party cert.

Check out this doc:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

If that doesnt help post your debug pm pki output

Explorer

Re: Upload pem file to WLC

I had followed the procedures in this document to perform the import.


Anyway, I retraced the entire procedure even more was flawed.

The following debug request :

TFTP Webauth cert transfer starting.
Mon Jan 18 08:00:02 2010: Still waiting!  Status = 2
Mon Jan 18 08:00:03 2010: Locking tftp semaphore, pHost=10.13.46.55 pFilename=/file.pem
Mon Jan 18 08:00:03 2010: Semaphore locked, now unlocking, pHost=10.13.46.55 pFilename=/file.pem
Mon Jan 18 08:00:03 2010: Semaphore successfully unlocked, pHost=10.13.46.55 pFilename=/file.pem
Mon Jan 18 08:00:03 2010: TFTP: Binding to local=0.0.0.0 remote=10.13.46.55
Mon Jan 18 08:00:03 2010: TFP End: 6438 bytes transferred (0 retransmitted packets)
Mon Jan 18 08:00:03 2010: tftp rc=0, pHost=10.13.46.55 pFilename=/file.pem
                                                                                                   pLocalFilename=cert.p12
Mon Jan 18 08:00:03 2010: RESULT_STRING: TFTP receive complete... Installing Certificate.
Mon Jan 18 08:00:03 2010: RESULT_CODE:13

TFTP receive complete... Installing Certificate.
Mon Jan 18 08:00:05 2010: Still waiting!  Status = 2
Mon Jan 18 08:00:07 2010: Adding cert (6386 bytes) with password "webpacientes"
Mon Jan 18 08:00:07 2010: sshpmAddWebauthCert: extracting private key from webauth cert; pwd: .
Mon Jan 18 08:00:07 2010: sshpmDecodePrivateKey: private key decode failed...
Mon Jan 18 08:00:07 2010: sshpmAddWebauthCert: key extraction failed.
Mon Jan 18 08:00:07 2010: RESULT_STRING: Error installing certificate.
Mon Jan 18 08:00:07 2010: RESULT_CODE:12
Mon Jan 18 08:00:07 2010: ummounting:   cwd  = /mnt/application
Mon Jan 18 08:00:07 2010: finished umounting

Error installing certificate.

Tks.

Re: Upload pem file to WLC

do you have an intermediate and root cert?

From what vendor are they? Usually they come in PKCS 7 format and you need to convert them to PEM using open ssl.

The PEM cert needs to contain BOTH the device and intermediate certificate. You can combine them using:

https://www.sslshopper.com/ssl-converter.html

Finally make sure you have Virtual Interface Hostname

Explorer

Re: Upload pem file to WLC

Yes, they are all within the file, the entire chain, vendor is Certsign.


The certificate that comes in they are formed pfx, i passed him to .pem using openssl with command :

pkcs12 -in c:\cert\file.pfx -out file.pem -nodes

A doubt, the virtual interface must be named before the import the certificate?

Re: Upload pem file to WLC

Before

Explorer

Re: Upload pem file to WLC

Sure.

The DNS address of the interface has to be decided by customers, correct? Otherwise appear "page not found".

I have a separate infrastructure, where customers access the wlan can not access the dns query on the corporate network, the wlan is published by without a vlan interface is not routed. The DNS client is the edge router, the router and DNS is the ISP.

In this case the address has to be published on the Internet?

CreatePlease to create content
Content for Community-Ad

Blog-Cisco Community Designated VIP Class of 2019