Hi I need your help because I am not sure in myself.
I didn't do anything with WLC, because it is in production environment.
Can you tell me someone what will happen if I change date of WLC to past date where AP with expired certificate will valid and they will talk each other and AP will join to WLC?
What will happen to other APs that already joined to WLC while I do this change with date?
And If AP is joined with expired certs and another AP's not affected of these changes, what will happen when I set the actually date and time?
And the same question what will happen if I use this command in WLC :
(WLC)>config ap cert-expiry-ignore {mic|ssc} enable
And join AP and after that if I use this command:
(WLC)>config ap cert-expiry-ignore {mic|ssc} disable
I only think what will happen but I am not sure :
If I set WLC to ignore expired certs, then the AP will join to WLC and WLC will load in to AP new IOS with valid certs I am right?
And now I can disable ignoring expired certs?
The WLC is 5500 series.
I tried to install the newest and the oldest IOS for this AP, but it didn't help, only I receive IP address from dhcp of vlan network of WLC and I receive errors with certificates.
Is it possible to write new valid certificates in AP?
Or delete expired certificates and export from another AP valid certificates and import them in this AP ?
My question with one sentence is how can I join this AP with expired certs to WLC elegantly without break production environment ?
Notes about troubleshooting and gathering information:
Ignoring expired certs:
For Version 7.0.252.0, use this command:
(WLC)>config ap lifetime-check {mic|ssc} enable
For Versions 7.4.140.0 and later, use this command:
(WLC)>config ap cert-expiry-ignore {mic|ssc} enable
Finding SN to identify from Cisco web site information of certificates status
(Cisco Controller) >show ap inventory all
Inventory for lap1130-sw3-9
NAME: "Cisco AP" , DESCR: "Cisco Wireless Access Point"
PID: AIR-LAP1131AG-E-K9, VID: V01, SN: FCZ1128Q0PE
NAME: "Dot11Radio0" , DESCR: "802.11G Radio"
PID: UNKNOWN, VID: , SN: GAM112706LC?
NAME: "Dot11Radio1" , DESCR: "802.11A Radio"
PID: UNKNOWN, VID: , SN: ALP112706LC
To find in AP information about MICs (Manufacturer Installed Certificates):
AP_CLI#show crypto pki certificates
CA Certificate
Status: Available...
...
Certificate
Status: Available
Certificate Serial Number: 728AF4350000001E4C89
Certificate Usage: General Purpose
Issuer:
cn=Cisco Manufacturing CA
o=Cisco Systems
Subject:
Name: C1130-001c58b5b3a4
ea=support@cisco.com
cn=C1130-001c58b5b3a4
o=Cisco Systems
l=San Jose
st=California
c=US
CRL Distribution Points:
http://www.cisco.com/security/crl/cmca.crl
Validity Date:
start date: 04:22:10 UTC Jul 11 2007
end date: 04:32:10 UTC Jul 11 2017
Associated Trustpoints: Cisco_IOS_MIC_cert
To find information about SSCs (Self-Signed Certificates):
AP_CLI >show auth-list
...
AP with Self-Signed Certificate................ yes
...
All AP SSCs have an expiration date of January 1, 2020.
Find WLC serial number:
WLC_CLI>show inventory
Burned-in MAC Address............................ 24:E9:B3:43:C4:E0
Maximum number of APs supported.................. 75
NAME: "Chassis" , DESCR: "Cisco 2500 Series Wireless LAN Controller"
PID: AIR-CT2504-K9, VID: V04, SN: PSZ17441ANT
To see all certificates in WLC:
WLC_CLI: show certificate all
Certificate Name: Cisco SHA1 device cert
Subject Name :
C=US, ST=California, L=San Jose, O=Cisco Systems, CN=AIR-CT2504-K9-d0c282d65a20,
MAILTO=support@cisco.com
Issuer Name :
O=Cisco Systems, CN=Cisco Manufacturing CA
Serial Number :
454384735992863371807890
Validity :
Start : 2011 Jul 26th, 20:17:17 GMT
End : 2021 Jul 26th, 20:27:17 GMT
Signature Algorithm :
rsa-pkcs1-sha1
Hash key :
SHA1 Fingerprint : 98:89:eb:12:2a:98:bc:fe:ad:5b:8f:23:63:0f:47:d1:36:ce:f5:be
MD5 Fingerprint : ba:f3:98:9a:cd:f8:01:08:84:b8:66:3c:6a:6c:d3:05
