cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1553
Views
0
Helpful
13
Replies

CA Certs for 5520

craigshawm6
Level 1
Level 1

Our existing 5508 wlcs have "othIpsecCaCert" for IPSec and "bsnSslEapCaCert" for EAP Certificates. Our HA Pair of 5520 show nothing in the "security, advanced, Vendor Certs" area. Just blank. How do I get these created?

Running 8.5.140.0 

13 Replies 13

Hi @craigshawm6,

 

The configuration is same as other models and versions. Please refer this for Local EAP

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

I have everything set, except it gives me an error for installing the IPsec CA certificate. The other 3 installed and worked just fine. IPSEC Device, EAP Device, and EAP CA worked great. Just the IPSec CA won't upload/install. I've tried two different certs. I've ran OpenSSL as an administrator. Nothing is working for this last cert install.

 

OUTPUT BELOW:

TFTP IPSEC CA cert transfer starting.

TFTP receive complete... installing Certificate.

Error installing certificate.

 

before installing cert, can you enable debug transfer all enable and debug pm pki enable and install again and paste the debug output.

-hope this helps-

(Cisco Controller) >debug transfer all enable

(Cisco Controller) >debug pm pki enable

(Cisco Controller) >*emWeb: Jun 07 09:35:23.142: [PA] file name=

*emWeb: Jun 07 09:35:23.142: [PA] total size=0

*TransferTask: Jun 07 09:35:23.142: [PA] Memory overcommit policy changed from 0 to 1

*TransferTask: Jun 07 09:35:23.142: [PA] RESULT_STRING: TFTP IPSEC CA cert transfer starting.

*TransferTask: Jun 07 09:35:23.142: [PA] RESULT_CODE:1

*TransferTask: Jun 07 09:35:27.157: [PA] TFTP: Binding to remote=172.21.30.136

*TransferTask: Jun 07 09:35:27.180: [PA] TFP End: 11686 bytes transferred (0 retransmitted packets)

*TransferTask: Jun 07 09:35:27.180: [PA] tftp rc=0, pHost=172.21.30.136 pFilename=./wlcIPSecCACert.pem
pLocalFilename=cert.p12

*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_STRING: TFTP receive complete... installing Certificate.

*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_CODE:13

*TransferTask: Jun 07 09:35:27.195: [PA] Adding cert (11594 bytes) with certificate key password.

*TransferTask: Jun 07 09:35:27.195: [PA] sshpmCheckCaCertBasicConsrtaints: CA Certificate basic constraint check failed at depth 0
*TransferTask: Jun 07 09:35:27.195: [PA] Add IPSEC CA certificate: Error checking basic constraints (verify: YES) IPSEC CA certificate chain
*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_STRING: Error installing certificate.


*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_CODE:12

*TransferTask: Jun 07 09:35:27.195: [PA] Memory overcommit policy restored from 1 to 0

Hi @craigshawm6 ,

 

Ensure that certificate you're installing is having the complete chain.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

Not sure how to do that exactly. I followed the exact same process for the other 3 certs that were installed on the wlc. 

If you open the certificate in a text editor, it should contain two or more ***BEGIN CERTIFICATE*** (or similar) areas. One for the root, zero or more for the intermediates and lastly the actual certificate.

I see three different "begin certificate" when I opened it in notepad. Each has it's corresponding "end certificate" as well. 

Decode all by using https://www.sslshopper.com/certificate-decoder.html
Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

All three certs checked good on that link. Everything looks on the up and up. It just won't install. 

 

What will it affect not having the IPSec CA Cert installed? 

So what is the effect of not having the IPSec CA cert on the 5520? The other 3 certs, IPSec Device, EAP CA, and EAP Device, installed just fine. 

Sorry I can't help you, never installed a cert on the Wlc.

sorry for the late reply.

The WLC uses IPSec to protect traffic to Radius server and syslog server.

you don't necessarily have to use it, but its off course recommended and I think its mandatory for CC compliance.

-hope this helps-
Review Cisco Networking for a $25 gift card