Solved: Re: WLC 2504: Web Auth certificate expires

as00001111 · ‎07-18-2018

Hey all!

I'm using a wlc 2504. There is a third party signed (public signed) certificate for the guest portal.

Can someone tell me how to recreate that certifcate?

The current certificate is going to expire in a few days.

Thank you!

patoberli · ‎07-24-2018

Good question :)
Here another manual on how to chain them correctly:
https://knowledge.digicert.com/solution/SO25994.html
And here another way on how to chain:
http://www.my80211.com/cisco-wlc-cli-commands/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

So I actually think you have to correctly chain them. Also it seems 2048 bit should be supported.

View solution in original post

Flavio Miranda · ‎07-18-2018

Hi

Take a look here:

https://supportforums.cisco.com/t5/wireless-mobility-videos/installing-a-3rd-party-ssl-certificate-for-guest-access/ba-p/3100316

-If I helped you somehow, please, rate it as useful.-

as00001111 · ‎07-24-2018

Hi,

When I want do define a challenge password during the csr, I get: (openssl 0.9.8)

So I decided to do it without a challenge password.

But when I want to download my final-cert.pem into the wlc, I get that:

Can you help me?

Do I need a challenge password?

Sandeep Choudhary · ‎07-24-2018

Please follow this posts:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

Regards

Dont forget to rate helpful posts

as00001111 · ‎07-24-2018

I followed the guide and used Openssl 1.1.0

However, I still get that error:

as00001111 · ‎07-24-2018

I get that in the debug log:

*TransferTask: Jul 24 12:50:56.055: sshpmAddWebauthCert: Extracting private key from webauth cert and using bundled pkcs12 password.

*TransferTask: Jul 24 12:50:56.066: sshpmDecodePrivateKey: private key decode failed...

*TransferTask: Jul 24 12:50:56.066: sshpmAddWebauthCert: key extraction failed.

*TransferTask: Jul 24 12:50:56.066: RESULT_STRING: Error installing certificate.

patoberli · ‎07-24-2018

Which version of WLC code are you running?

Regarding the error message, it seems it can't decode the Private Key. Is it correctly attached to the PKCS12 file? Sometimes this needs to be enabled on the signing server.

as00001111 · ‎07-24-2018

I'm running 8.0.110.0

Yes, it is attached.

Could the 2048 bits be a problem? Do I need 1024 bits?

Could the openssl version be a problem?

How many cert levels can I use? I got 2 Intermediate CAs and 1 Root CA

patoberli · ‎07-24-2018

You are running a VERY old version of software on your controller. It's well possible that this version doesn't even support 2048 bit certificates or has a bug with them. In any case, I'd first upgrade to the latest 8.0 or better 8.2 or 8.5 (depending on what AP models you are using, some old models were dropped in 8.5 and I think 8.2).
There is also a second bug in your version that will not allow APs manufactured 2007 and older to connect anymore, because of another certificate issue.

Also check this:
https://community.cisco.com/t5/wireless-security-and-network/cannot-install-webauth-cert-on-5508-wlc/td-p/2924301
Do you have the Root and Intermediate certificates already installed? I think you first need to install those and then the final certificate.

as00001111 · ‎07-24-2018

Do you have the Root and Intermediate certificates already installed? I think you first need to install those and then the final certificate.

No, I don't.

How can I install them?

I thought this is done by placing them into the cained certificate

patoberli · ‎07-24-2018

Good question :)
Here another manual on how to chain them correctly:
https://knowledge.digicert.com/solution/SO25994.html
And here another way on how to chain:
http://www.my80211.com/cisco-wlc-cli-commands/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

So I actually think you have to correctly chain them. Also it seems 2048 bit should be supported.

as00001111 · ‎07-24-2018

Or do you think I just have to upload the single server cert?

(unchained)

patoberli · ‎07-24-2018

No, all manuals state the cert needs to be chained, correctly chained. You might need to check this in an editor (notepad++) and check if really the right certificate comes first in the file.

as00001111 · ‎07-24-2018

okay.

I have already taken a look at both of these manuals.

Manual 1 describes to use a challenge password; manual 2 doesn't.

That's one point of confusion.

Point 2:

Since I got two intermediate ca's, my chain looks like that:

----BEGIN CERTIFICATE ----
‘Server certificate ’
---- END CERTIFICATE ----
---- BEGIN CERTIFICATE ----
‘Intermediate CA certificate’
---- END CERTIFICATE ----

---- BEGIN CERTIFICATE ----
‘Intermediate CA certificate’
---- END CERTIFICATE ----
---- BEGIN CERTIFICATE ----
‘Root CA certificate’
---- END CERTIFICATE ----

Edit: It worked, don't know what I did different now. But it works :-D

The cert created with openssl 0.9.8 and without a challenge password.

Thanks for your help!