9800 wlc Importing third party certificate for web authentication

toy.thompson · ‎08-29-2023

I have a Cisco 9800-L WLC (17.3.7) and a signed third party certificate (PKCS#12) issued "godaddy". When I import the certificate it does not work (https not secured in browser) and I get and error message while importing the certificate. When I view the certificate it does not display the CA Certificate associated with the certificate.

What do I do to verify the certificate format/chain I'm importing is correct.

What can I do to import the certificate correctly

Mark Elsen · ‎08-29-2023

- Review this documentation : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Rich R · ‎08-30-2023

Also note you should only use OpenSSL v1.1.1 (latest) not OpenSSL v3.x because the WLC does not support the certs produced by OpenSSL v3.x - see: https://www.wiresandwi.fi/blog/cisco-wlc-9800-certificate-installation-error-reading-file-from-bootflash which references https://community.cisco.com/t5/wireless/wlc-c9800-unable-to-import-pfx-certificate/td-p/4709278/page/2
I asked TAC to update the doc Marce shared a few months ago but they don't seem to have done it yet!

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

toy.thompson · ‎08-30-2023

We managed to find the problem. The correct keychain was not included with the certificate. We re-chained the certificate using the actual vendor root certificate, intermediate and the actual guest certificate. First we used OpenSSL to rechain the certificate this did not work, and we could not import the certificate to the WLC, however we then used (https://www.sslshopper.com/ssl-converter.html) to rechain the certificate and the certificate worked. Also upgrade the WLC OS to 17.9.3 in the process. Cisco documentation around third party certificates for guest auth on the 9800s not very helpful, most still refer to AirOS which also does not help.

Jesperbo@gmail.com · ‎10-16-2025

I have been struggling with the same issue. Recreating the pfx file, using OpenSSL 1.x, did not help.
However, when I changed the pw on the certificate, removing "(", ")", "[", "]" and "*", it worked. Seems like the WLC wont accept some kind of characters in the certificate password.