Hi Cisco Geniuses,
After spending hours on installing 3rd Party Certificate for WebAuth on Cisco WLC 5520; I thought why not ask the community.
I have looked for online help through very well-known wireless blogs and random information on google but nothing can justify my problem.
I'm installing 3rd party certificate and it giving me errors, I have pasted below:
*TransferTask: Mar 06 14:30:38.003: Memory overcommit policy restored from 1 to 0
*TransferTask: Mar 06 14:49:07.619: Memory overcommit policy changed from 0 to 1
*TransferTask: Mar 06 14:49:07.619: RESULT_STRING: TFTP Webauth cert transfer starting.
*TransferTask: Mar 06 14:49:07.619: RESULT_CODE:1
*TransferTask: Mar 06 14:49:11.622: TFTP: Binding to remote=10.100.3.3
*TransferTask: Mar 06 14:49:11.650: TFP End: 5736 bytes transferred (0 retransmitted packets)
*TransferTask: Mar 06 14:49:11.650: tftp rc=0, pHost=10.14.253.3 pFilename=/final.pem
*TransferTask: Mar 06 14:49:11.651: RESULT_STRING: TFTP receive complete... Installing Certificate.
*TransferTask: Mar 06 14:49:11.651: RESULT_CODE:13
*TransferTask: Mar 06 14:49:15.658: Adding cert (5688 bytes) with certificate key password.
*TransferTask: Mar 06 14:49:15.659: RESULT_STRING: Error installing certificate.
*TransferTask: Mar 06 14:49:15.659: RESULT_CODE:12
Can anyone help me to identify what does RESULT_CODE:13 means?
I have followed the process from cisco documentation: <href link= "http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html">Cisco Link </href>
- Not sure if there's any known issue that I'm not aware of
- or I'm missing anything
- Before you refer to any blog, let me tell you that I have tried everything but nothing is working.
So at this moment, I need an EXPERT advice @Scott Fella, @Raskin.
Thanks Scott for your reply.
AS I said, I have followed and troubleshoot all the possible scenarios.
Yes - I've used 0.9.8 version of OpenSSL.
The first time it didn't work and then I created again new SSL certificate from the website.. just to make sure that no password error in the 3rd party certificate.
At this moment, I'm looking any other hint or anything that is not mentioned anywhere.
This might not be overly helpful but last time I had major issues installing a third party cert I had to grab the public key of one of their intermediate CAs (one that matched with your cert chain) and slip that into the .pem file I was trying to upload.
Thanks for your replies really appreciate.
Clearly, there's something not right. ..As Debug clearly says that it copied the final.
I have checked with the SSL certificate provider (rapidSSL) that what sort of level they provide.. and they confirmed its Level 3.
Unfortunately, even online does have any much help regarding the code it generates the error.
If anyone from cisco could answer would be much appreciated. or anyone refers to the list of debug codes.
"Every little helps"
So just to clarfiy, have you tried swapping out the intermediate CA component for one that matches the public key of the signing vendor from their website? This is definitely what worked for me when encountering this issue after ensuring the right OpenSSL version as you already have.
So my disclaimer here is I'm not amazing with certificates so if this works, please have your security peeps verify it isn't messing anything up.
Brett had a similar issue about a year ago and again it rang similar to the one I had.
We both took the certificate given to us by the vendor and generated the usual pem files etc with it to get the keys in the format something like:
*Intermediate CA cert *
*Root CA cert *
Now if I recall correctly, I replaced the Intermediate component with a public intermediate CA certificate available on the vendor's website who provided me with the original signed cert. This worked for me.
For Brett, it sounds like he needed to put a couple of Intermediates in there because it was chained further but still it worked out for him in the end.
So my suggestion here is you play around with that section but make sure that whichever intermediate you are getting from the vendor (publicly downloadable), it hopefully corresponds to the correct chain you are using.
Sorry if that isn't very comprehensive!
Again thanks for your detailed answer.
I'm confused b/w two things that how many certificates does SSL certificate provider issues when you buy from them?
..says there should be three certificates; Device certificate, Intermediate certificate, and Root CA.
In my case, I received only one certificate and I copied the Root CA from the rapidSSL.com's website.
I also read that each certificate provider provides a different number of certificates as mentioned on RogerPerkin's blog (above link), some provide one, some two and some three and even some four (including Root CA).
Having read all above blogs; I have two certificates (purchased certificate and Root CA) - hopefully, I'm not creating confusion.
In doing so I put them together as below and followed the rest of the procedure.
*Purchased certificate cert*
*Root CA cert *
So I don't have a separate Device Certificate and Intermediate Certificate... all I have is one-in-all (sounds like it).
Could you please let me know if I'm doing right or if I'm missing something?
Please shed some light (anyone)?
Again, I'm guessing here but an example would be something like GeoTrust where they've given you your cert which is the private key and also the Root public component. You can then insert an intermediate in there which is part of the chain. They are downloadable here:
Maybe ask your certificate vendor to provide the intermediate ca for you? It won't cost extra it's just a public available key.
Hi, Ric - Thanks, man.
I have tried your way as well...but NOTHING worked.
Now anyone from @Cisco if could explain the confusion around the 3rd certification .. that would be great.
Cisco please let us understand
1- Which format does Cisco WLC 5520 is expecting?
2 - Update the online documents with valid and correct information?
3 - Could Cisco spend some time once for all?
Thanks, all of you who have contributed to the thread.
rapidssl also has an intermediate CA
1. Download the RapidSSL Root CA certificate from this link.
2. Save the file as root.txt
3. Download the Intermediate CA certificate from this link.
4. Save the file as intermediate_ca.txt
then proceed as above and the allready referred links to combine the certificates to a single file before converting with openssl
order: device, intermediate,root
I'm just trying to go over some of the things I have seen other do by mistake. Like Ric mentioned, the other thing I also do is extract the root ca and all the intermediate(s) ca(s) and make sure they are in the correct order when creating your pem. There are also various ways to request a cert that might also cause issues that are not on the instructions.
*** Please rate helpful posts ***