Solved: 3rd party SSL cert and two WLC's

ALIAOF_ · ‎11-11-2015

I have 2 5508's in two data centers. One of them already has a 3rd party SSL cert and it is working. Can I install the same cert on the second WLC or do I need to assign a different Virtual IP and a different domain name for web authentication on that WLC to work?

Scott Fella · ‎11-23-2015

Like what Brett mentioned, you can use the same webauth certificate on as many controllers as you want. The only requirement is that you have entered the FQDN on the VIP interface and that the VIP and the FQDN is setup in DNS for resolution. No need to have two different certificates unless that is your policy.

-Scott

-Scott
*** Please rate helpful posts ***

View solution in original post

Brett Verney · ‎11-26-2015

That's correct. The FQDN on the Virtual Interface has no relevance to the hostnames you have specified on the management interface on the WLC. One is for management; one for things like DHCP and SecureWeb Auth.

Each WLC will present their SSL certs from the Virtual Interface down to clients independantly of the other WLC and the Virtual Interface IP address is not routeable anywhere on the network, so there will be no conflict. Client's just have to trust the identity of the VIP. Also FQDN on the VIP has to match what is in the cert.

Brett

View solution in original post

Brett Verney · ‎11-18-2015

Hi Mohammad,

If the WLC's Virtual Interface IP address and hostname are the same, you can use the same certificate.

Brett

ALIAOF_ · ‎11-23-2015

Thank you Brett. So this WLC has a different host name as I am doing Flex Connect on this one and it sits in our secondary data center. However VIP is the same. I'm assuming then in order for this to work I will need to change the VIP to another IP like 2.2.2.2 and then have a secondary domain like webauth2.mydomain.com for the cert?

Scott Fella · ‎11-23-2015

Like what Brett mentioned, you can use the same webauth certificate on as many controllers as you want. The only requirement is that you have entered the FQDN on the VIP interface and that the VIP and the FQDN is setup in DNS for resolution. No need to have two different certificates unless that is your policy.

-Scott

-Scott
*** Please rate helpful posts ***

ALIAOF_ · ‎11-24-2015

Thank you Brett and Scott I'd love to be able to do that but here is what confusing me a bit.

Controller 1 is in our primary data center with a host name of = WLC1-PDC

Controller 2 is in our backup data center witha host name of = WLC2-BDC

VIP on both is 1.1.1.1

SSL cert on WLC1-PDC is pointing to that VIP however the host names of both WLC's are different. So even though the host names of the two WLC's are different (Under Controller and then General) I should still be able to load the same cert on the second one since the VIP's are a the same?

Thank you.

Scott Fella · ‎11-24-2015

The hostname doesn't matter... what matters is the FQDN for the certificate.

-Scott

-Scott
*** Please rate helpful posts ***

Brett Verney · ‎11-26-2015

That's correct. The FQDN on the Virtual Interface has no relevance to the hostnames you have specified on the management interface on the WLC. One is for management; one for things like DHCP and SecureWeb Auth.

Each WLC will present their SSL certs from the Virtual Interface down to clients independantly of the other WLC and the Virtual Interface IP address is not routeable anywhere on the network, so there will be no conflict. Client's just have to trust the identity of the VIP. Also FQDN on the VIP has to match what is in the cert.

Brett

Brett Verney · ‎11-23-2015

Hi Mohammad,

If there is no requirement for the 2 x WLCs to be mobilty peers; that is for inter controller roaming or anchoring clients to a WLC within the DMZ for as an example, then the Virtual Interface IP and hostname can certainly be different. But save yourself the cost of buying an additional cert and use the same IP address and hostname on the interface.

Brett