C9800 PKI Management with Wildcard Certificate

james.kuo · ‎07-03-2023

Dear All,

Here is my facing problem.

I have a wildcard certificate applied from a third-party CA Authority,

according to the configuration file, I can't find the steps for installing it for Web Admin and WenAuth.

Does anyone have some experience with wildcard installation for C9800 PKI Management?

James Kuo
HsinChu, TAIWAN

marce1000 · ‎07-03-2023

- FYI : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

james.kuo · ‎07-03-2023

Hi Marce,

I have tried this configuration, but still need to generate CSR to sign.

I want to do like the web auth certificate of AireOS.

Upgrade the wildcard certificate to webauth certificate directly.

James Kuo
HsinChu, TAIWAN

Flavio Miranda · ‎07-03-2023

Hi

Try to follow this guide and let me know

https://zebust.wordpress.com/2021/03/26/installing-certificate-on-cisco-wlc-9800-via-cli/

james.kuo · ‎07-03-2023

Hi Flavio,

I have tried this method, you can see steps 3,

still need to generate CSR and use the local CA Server to sign the CSR.

James Kuo
HsinChu, TAIWAN

Flavio Miranda · ‎07-03-2023

If you have a CA authority, as I believe you do as you said above: "I have a wildcard certificate applied from a third-party CA Authority,"

What you need to do is go to step 1,2 and 3, get the CSR from the WLC and ask you CA authority to sign it.

After that, install the certificate you get from your CA authoriry, step 5 and 6.

james.kuo · ‎07-03-2023

Hi Flavio,

Maybe I didn't make it clear.

I have a wildcard certificate like *.mydomain.com,

I want to use it and upload it to WLC directly without generating CSR.

Because I upload the wildcard certificate to the AireOS webauth certificate, it work.

James Kuo
HsinChu, TAIWAN

Flavio Miranda · ‎07-03-2023

Got it, you was clear, I misunderstood. For that, you need a different approach

You need to install OpenSSL version 1.X ( windows)

Split the PFX file into individual files

Combine all the certificate and private key files to a .PFX file again using OpenSSL version 1.X

openssl.exe pkcs12 -export -in ID-CERT.cer -inkey PRIV.key -certfile CA-CHAIN.pem -out CERT-and-KEY.pfx

On the WLC gui, go to

Configuration > Security > PKI Management > Add Certificate > Import KCS12 Certificate)

MHM Cisco World · ‎07-03-2023

wildcard certificate config in WLC ?
are the domain name is same in WLC and users ?
share the domain name and wildcard domain name

james.kuo · ‎07-03-2023

Hi MHM,

WLC domain name and wildcard CA name are the same.

James Kuo
HsinChu, TAIWAN

MHM Cisco World · ‎07-03-2023

https://community.cisco.com/t5/wireless-mobility-knowledge-base/wildcard-certificate-installation-on-wlc-wireless-lan-controller/ta-p/3143484

james.kuo · ‎07-04-2023

Hi all,

The issue is resolved today, the customer sends me a new wildcard certificate whose format is *.pfx,

upload to WLC may show the root CA & root Chain CA etc... then assign to webauth successfully.

James Kuo
HsinChu, TAIWAN

Flavio Miranda · ‎07-04-2023

Hi @james.kuo

If you received pfx file, it means they might ran the command I sent you before.

openssl.exe pkcs12 -export -in ID-CERT.cer -inkey PRIV.key -certfile CA-CHAIN.pem -out CERT-and-KEY.pfx

But, the important is that you fixed the problem.

Thanks for let us know.

james.kuo · ‎07-04-2023

Hi Flavio,

My customer downloads pfx from a third-party CA Authority directly,

so I think he doesn't use the command you provide,

but I think the command can resolve the issue when he downloads a different format CA.

Anyway, thanks for kindly replying and providing solutions.

James Kuo
HsinChu, TAIWAN