cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2018
Views
0
Helpful
13
Replies

3rd Party Certificate for WebAuth - Cisco WLC 5520

Beacon Bits
Beginner
Beginner

Hi Cisco Geniuses,

After spending hours on installing 3rd Party Certificate for WebAuth on Cisco WLC 5520; I thought why not ask the community.

I have looked for online help through very well-known wireless blogs and random information on google but nothing can justify my problem.

Problem:

I'm installing 3rd party certificate and it giving me errors, I have pasted below:

*TransferTask: Mar 06 14:30:38.003: Memory overcommit policy restored from 1 to 0

*TransferTask: Mar 06 14:49:07.619: Memory overcommit policy changed from 0 to 1

*TransferTask: Mar 06 14:49:07.619: RESULT_STRING: TFTP Webauth cert transfer starting.

*TransferTask: Mar 06 14:49:07.619: RESULT_CODE:1

*TransferTask: Mar 06 14:49:11.622: TFTP: Binding to remote=10.100.3.3

*TransferTask: Mar 06 14:49:11.650: TFP End: 5736 bytes transferred (0 retransmitted packets)

*TransferTask: Mar 06 14:49:11.650: tftp rc=0, pHost=10.14.253.3 pFilename=/final.pem
pLocalFilename=cert.p12

*TransferTask: Mar 06 14:49:11.651: RESULT_STRING: TFTP receive complete... Installing Certificate.

*TransferTask: Mar 06 14:49:11.651: RESULT_CODE:13

*TransferTask: Mar 06 14:49:15.658: Adding cert (5688 bytes) with certificate key password.

*TransferTask: Mar 06 14:49:15.659: RESULT_STRING: Error installing certificate.


*TransferTask: Mar 06 14:49:15.659: RESULT_CODE:12

Can anyone help me to identify what does RESULT_CODE:13 means?

I have followed the process from cisco documentation: <href link= "http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html">Cisco Link </href>

- Not sure if there's any known issue that I'm not aware of

- or I'm missing anything

- Before you refer to any blog, let me tell you that I have tried everything but nothing is working.

So at this moment, I need an EXPERT advice @Scott Fella, @Raskin.

Regards,

S

13 Replies 13

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

What version of OpenSSL did you use. I know that v1.x had issues but that was supported in v8.x, however, I have always used 0.9.8 and worked.  Try that first if not already. 

-Scott 

*** Please rate helpful posts *** 

-Scott
*** Please rate helpful posts ***

Thanks Scott for your reply.

AS I said, I have followed and troubleshoot all the possible scenarios.

Yes - I've used 0.9.8 version of OpenSSL.

The first time it didn't work and then I created again new SSL certificate from the website.. just to make sure that no password error in the 3rd party certificate.

At this moment, I'm looking any other hint or anything that is not mentioned anywhere.

Regards,

S

This might not be overly helpful but last time I had major issues installing a third party cert I had to grab the public key of one of their intermediate CAs (one that matched with your cert chain) and slip that into the .pem file I was trying to upload.

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts

Hi guys

Thanks for your replies really appreciate.

Clearly, there's something not right. ..As Debug clearly says that it copied the final.pem file correctly but errors is in installing the certificate.

I have checked with the SSL certificate provider (rapidSSL) that what sort of level they provide.. and they confirmed its Level 3.

Unfortunately, even online does have any much help regarding the code it generates the error.

If anyone from cisco could answer would be much appreciated. or anyone refers to the list of debug codes.

"Every little helps"

Regards,

So just to clarfiy, have you tried swapping out the intermediate CA component for one that matches the public key of the signing vendor from their website? This is definitely what worked for me when encountering this issue after ensuring the right OpenSSL version as you already have.

-----------------------------
Please rate helpful / correct posts

Ric could you explain this in detail. I will try your way this time.

Yes, I'm using the correct version of OpenSSL that works (i.e; 0.9.8h).

So my disclaimer here is I'm not amazing with certificates so if this works, please have your security peeps verify it isn't messing anything up. 

Brett had a similar issue about a year ago and again it rang similar to the one I had.

https://supportforums.cisco.com/discussion/12949251/cannot-install-webauth-cert-5508-wlc

We both took the certificate given to us by the vendor and generated the usual pem files etc with it to get the keys in the format something like:

------BEGIN CERTIFICATE------

*Device cert*

------END CERTIFICATE------

------BEGIN CERTIFICATE------

*Intermediate CA cert *

------END CERTIFICATE--------

------BEGIN CERTIFICATE------

*Root CA cert *

------END CERTIFICATE------

Now if I recall correctly, I replaced the Intermediate component with a public intermediate CA certificate available on the vendor's website who provided me with the original signed cert. This worked for me.

For Brett, it sounds like he needed to put a couple of Intermediates in there because it was chained further but still it worked out for him in the end.

So my suggestion here is you play around with that section but make sure that whichever intermediate you are getting from the vendor (publicly downloadable), it hopefully corresponds to the correct chain you are using.

Sorry if that isn't very comprehensive! 

Ric

-----------------------------
Please rate helpful / correct posts

Hi Ric,

Again thanks for your detailed answer.

I'm confused b/w two things that how many certificates does SSL certificate provider issues when you buy from them?

On blogs like http://www.rogerperkin.co.uk/wireless/how-to-install-ssl-certificate-on-cisco-wlc-for-guest-access/

and

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

..says there should be three certificates; Device certificate, Intermediate certificate, and Root CA.

In my case, I received only one certificate and I copied the Root CA from the rapidSSL.com's website.

I also read that each certificate provider provides a different number of certificates as mentioned on RogerPerkin's blog (above link), some provide one, some two and some three and even some four (including Root CA).

Having read all above blogs; I have two certificates (purchased certificate and Root CA) - hopefully, I'm not creating confusion.

In doing so I put them together as below and followed the rest of the procedure.

------BEGIN CERTIFICATE------

*Purchased certificate cert*

------END CERTIFICATE------

------BEGIN CERTIFICATE------

*Root CA cert *

------END CERTIFICATE------

So I don't have a separate Device Certificate and Intermediate Certificate... all I have is one-in-all (sounds like it).

Could you please let me know if I'm doing right or if I'm missing something?

Please shed some light (anyone)?

Regards,

S

Again, I'm guessing here but an example would be something like GeoTrust where they've given you your cert which is the private key and also the Root public component. You can then insert an intermediate in there which is part of the chain. They are downloadable here:

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO26895

Maybe ask your certificate vendor to provide the intermediate ca for you? It won't cost extra it's just a public available key. 

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts

Hi, Ric - Thanks, man. 

I have tried your way as well...but NOTHING worked.

Now anyone from @Cisco if could explain the confusion around the 3rd certification .. that would be great.

Cisco please let us understand

1- Which format does Cisco WLC 5520 is expecting?

2 - Update the online documents with valid and correct information?

3 - Could Cisco spend some time once for all?

Thanks, all of you who have contributed to the thread.

Regards,

S

No probs and good luck with it. Let us know if you do get a resolution.

FYI Cisco aren't crazily active on here, you need to log a TAC case to get full support from them.

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts

rapidssl also has an intermediate CA

   1.    Download the RapidSSL Root CA certificate from this link.
    2.    Save the file as root.txt
    3.    Download the Intermediate CA certificate from this link.
    4.    Save the file as intermediate_ca.txt

then proceed as above and the allready referred links to combine the certificates to a single file before converting with openssl

order: device, intermediate,root

I'm just trying to go over some of the things I have seen other do by mistake. Like Ric mentioned, the other thing I also do is extract the root ca and all the intermediate(s) ca(s) and make sure they are in the correct order when creating your pem. There are also various ways to request a cert that might also cause issues that are not on the instructions.

-Scott 

*** Please rate helpful posts *** 

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers