WAP4410N and SSL Certificate installation

Michal Bruncko · ‎01-02-2014

Hello guys,

please what are the requirements for custom SSL certificates on WAP4410N? I have created SSL certificate (in PEM format) using my own CA with EJBCA soultion, but after pressing "Install certificate" button on "SSL Certificate Management" section (and confirming following java dialogbox) the http connection is just closed by WAP4410N using FIN/ACK packet without any certificate installation/reboot of device.

If I use my older SSL certificate (again in PEM format) created by openssl package with simple parameters (without Subject Alternative Name, with simplest Signature Algorithm and lot of other differences) the certificate will be installed succesfully. I have not found any "requirements" for those SSL certificates.

So the question is: what specific parameters are checked for compliancy which is causing that certificate installation will fail?

Reason for changing SSL certificate is to move with certificate to new corporate CA managed by EJBCA.

thanks for any help.

Dan Miley · ‎01-02-2014

do you have the root CA certificate installed on the WAP also? (ejbca)

I would turn on syslog, see what messages are coming out. I know some of our older devices are limited to key length, and some providers are giving no less than 2k bit certs. If you can, try a shorter key length 1024 or 1536 possibly.

If you are under warranty, you can create a case, upload the logs, and we can check out what is going on, and if there is an easy solution.

Here's some more info on radius auth, and there's a cert install

https://supportforums.cisco.com/thread/2063984

Dan

Michal Bruncko · ‎01-02-2014

Hello Dan

maybe it looks like small misunderstanding. There is no problem with wireless enterprise authentication (yes, we use it, but it works fine without problems). I have problem with installing HTTP SSL Certificate into WAP4410N (section: Administration -> SSL Certificate Management).

> do you have the root CA certificate installed on the WAP also? (ejbca)

this was never needed even if we used old openssl certificates. all the time the certificate in PEM format (cert+key) was always enough.

> I would turn on syslog, see what messages are coming out.

there is no even one related syslog message even if I checked all possible message log types. Web browser just sends HTTP POST with new certificate as content and opposite site (AP) just sends back FIN/ACK response and connection is closed without any action.

> If you are under warranty, you can create a case, upload the logs, and we can check out what is going on, and if there is an easy solution.

We are using nine WAP4410N AP's, some of them are hopefully still in warranty. How can I create case? There is no specific contract needed in order to open case?

thank you

michal

Harald Geving · ‎01-30-2015

Hello Michal,

did you ever find a solution to this problem?
I'm using StartSSL to generate my certificates, and my WAP371 have no problems accepting it.
My WAP4410n however, just closes the connection without returning any data.
I just upgraded to 2.0.7.4-K9 firmware, but the issue still persists.

EDIT:
I just tried to export and then import the exported certificate, and that works.
I don't quite understand why this feature is needed, as I suspect that this default certificate is included in firmware...?

Thank you!

--

Harald

Michal Bruncko · ‎01-30-2015

Hello Harald,

yes, issue is solved for me after I reported this to Cisco support and they fixed it - but unfortunately in version, that was never released publicly - 2.0.7.6T1.