Thanks Scott for your reply.

AS I said, I have followed and troubleshoot all the possible scenarios.

Yes - I've used 0.9.8 version of OpenSSL.

The first time it didn't work and then I created again new SSL certificate from the website.. just to make sure that no password error in the 3rd party certificate.

At this moment, I'm looking any other hint or anything that is not mentioned anywhere.

Regards,

S

This might not be overly helpful but last time I had major issues installing a third party cert I had to grab the public key of one of their intermediate CAs (one that matched with your cert chain) and slip that into the .pem file I was trying to upload.

Cheers,

Ric

Hi guys

Thanks for your replies really appreciate.

Clearly, there's something not right. ..As Debug clearly says that it copied the final.pem file correctly but errors is in installing the certificate.

I have checked with the SSL certificate provider (rapidSSL) that what sort of level they provide.. and they confirmed its Level 3.

Unfortunately, even online does have any much help regarding the code it generates the error.

If anyone from cisco could answer would be much appreciated. or anyone refers to the list of debug codes.

"Every little helps"

Regards,

S 

So just to clarfiy, have you tried swapping out the intermediate CA component for one that matches the public key of the signing vendor from their website? This is definitely what worked for me when encountering this issue after ensuring the right OpenSSL version as you already have.

Ric could you explain this in detail. I will try your way this time.

Yes, I'm using the correct version of OpenSSL that works (i.e; 0.9.8h).

So my disclaimer here is I'm not amazing with certificates so if this works, please have your security peeps verify it isn't messing anything up. 

Brett had a similar issue about a year ago and again it rang similar to the one I had.

https://supportforums.cisco.com/discussion/12949251/cannot-install-webauth-cert-5508-wlc

We both took the certificate given to us by the vendor and generated the usual pem files etc with it to get the keys in the format something like:

------BEGIN CERTIFICATE------

*Device cert*

------END CERTIFICATE------

------BEGIN CERTIFICATE------

*Intermediate CA cert *

------END CERTIFICATE--------

------BEGIN CERTIFICATE------

*Root CA cert *

------END CERTIFICATE------

Now if I recall correctly, I replaced the Intermediate component with a public intermediate CA certificate available on the vendor's website who provided me with the original signed cert. This worked for me.

For Brett, it sounds like he needed to put a couple of Intermediates in there because it was chained further but still it worked out for him in the end.

So my suggestion here is you play around with that section but make sure that whichever intermediate you are getting from the vendor (publicly downloadable), it hopefully corresponds to the correct chain you are using.

Sorry if that isn't very comprehensive! 

Ric

Hi Ric,

Again thanks for your detailed answer.

I'm confused b/w two things that how many certificates does SSL certificate provider issues when you buy from them?

On blogs like http://www.rogerperkin.co.uk/wireless/how-to-install-ssl-certificate-on-cisco-wlc-for-guest-access/

and

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

..says there should be three certificates; Device certificate, Intermediate certificate, and Root CA.

In my case, I received only one certificate and I copied the Root CA from the rapidSSL.com's website.

I also read that each certificate provider provides a different number of certificates as mentioned on RogerPerkin's blog (above link), some provide one, some two and some three and even some four (including Root CA).

Having read all above blogs; I have two certificates (purchased certificate and Root CA) - hopefully, I'm not creating confusion.

In doing so I put them together as below and followed the rest of the procedure.

------BEGIN CERTIFICATE------

*Purchased certificate cert*

------END CERTIFICATE------

------BEGIN CERTIFICATE------

*Root CA cert *

------END CERTIFICATE------

So I don't have a separate Device Certificate and Intermediate Certificate... all I have is one-in-all (sounds like it).

Could you please let me know if I'm doing right or if I'm missing something?

Please shed some light (anyone)?

Regards,

S

Again, I'm guessing here but an example would be something like GeoTrust where they've given you your cert which is the private key and also the Root public component. You can then insert an intermediate in there which is part of the chain. They are downloadable here:

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO26895

Maybe ask your certificate vendor to provide the intermediate ca for you? It won't cost extra it's just a public available key. 

Cheers,

Ric

Hi, Ric - Thanks, man. 

I have tried your way as well...but NOTHING worked.

Now anyone from @Cisco if could explain the confusion around the 3rd certification .. that would be great.

Cisco please let us understand

1- Which format does Cisco WLC 5520 is expecting?

2 - Update the online documents with valid and correct information?

3 - Could Cisco spend some time once for all?

Thanks, all of you who have contributed to the thread.

Regards,

S

No probs and good luck with it. Let us know if you do get a resolution.

FYI Cisco aren't crazily active on here, you need to log a TAC case to get full support from them.

Cheers,

Ric

rapidssl also has an intermediate CA

   1.    Download the RapidSSL Root CA certificate from this link.
    2.    Save the file as root.txt
    3.    Download the Intermediate CA certificate from this link.
    4.    Save the file as intermediate_ca.txt

then proceed as above and the allready referred links to combine the certificates to a single file before converting with openssl

order: device, intermediate,root

I'm just trying to go over some of the things I have seen other do by mistake. Like Ric mentioned, the other thing I also do is extract the root ca and all the intermediate(s) ca(s) and make sure they are in the correct order when creating your pem. There are also various ways to request a cert that might also cause issues that are not on the instructions.

-Scott 

*** Please rate helpful posts ***