I'm sure that most of you will be aware that Google is intent on driving through 90-day certificate lifecycles in the near future. As such, I am starting to think about certificate automation for our 9800 WLC's. Has anyone else looked at this yet, and had any success? I would be grateful if anyone could point me to some configuration guides on achieving this.
We would be looking to automate certs for webauth and HTTPS access. Our current software version is 17.3.8a
Thanks BB and I appreciate your response, but I don't believe that has covered my query.
The article below highlights the need to find a way to automate certificate creation and renewals, as the certificate lifecycle will only get shorter and shorter. We need to start taking action now to deal with this impending change.
I'd be interested to know if Cisco is looking at this and providing a way forward, not only for 9800 WLCs but other appliances too (ISE, etc.) If anyone has any experience in automating certs for Cisco products, I would be interested to hear about it.
Sure the i have provided the document for process what right now active.
Sure that may be future wish for Cisco BU to automate, as in 17.13.X i do not see any indication as i am aware that exists what you looking to be specific to your query.
ā12-14-202304:50 AM - edited ā12-14-202304:54 AM
thats a good idea, but i don't think there is any official process like that, you can auto renew certs on Public CA side and continue using the original CSR, but you still have to manually import it to local repository and then to devices, one of the reason its will be a hard nut to crack is because there is no standard process of certificate installation across platform, even within cisco most products have their own method. I raise this issue with Cisco once.
If you're talking about something like ACME (as referred to in your chromium link) when referring to automation then I'm not aware of any current or future plans for Cisco to support it - although I agree it would be useful. So you could use a 3rd party client using ACME to handle the certificate renewal part with the issuing CA but you still need a method to get the cert installed on the WLC.
> Our current software version is 17.3.8a Good that you're on the latest 17.3 release, bad that you're still on 17.3 - it's almost EOL - see: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/ios-xe-17-3-x-eol.html Already past bug and security fixes dates! Keep track of the TAC recommended releases (link below) and start planning for keeping your network in sync with that as much as possible. You're certainly not going to get any new automation features staying on the oldest supported release of IOS-XE! At this point you should be planning your move to 17.9 right now and then start planning and thinking about 17.12 when that becomes the default recommended release.
YANG modules from standards organizations such as the IETF, The IEEE, The Metro Ethernet Forum, open source such as Open Daylight or vendor specific modules - yang/vendor/cisco/xe/17121/Cisco-IOS-XE-crypto-rpc.yang at main Ā· YangModels/yang
Thanks for the response Rich, I'll take a look at the link you posted.
Software version 17.3.8a = Bad. Yep, we have been held back by some older APs that we have deployed, but they have just now been replaced. I'll be looking to upgrade the software after the holiday break.
