06-06-2019 08:29 AM - edited 07-05-2021 10:31 AM
Our existing 5508 wlcs have "othIpsecCaCert" for IPSec and "bsnSslEapCaCert" for EAP Certificates. Our HA Pair of 5520 show nothing in the "security, advanced, Vendor Certs" area. Just blank. How do I get these created?
Running 8.5.140.0
06-06-2019 11:22 AM
Hi @craigshawm6,
The configuration is same as other models and versions. Please refer this for Local EAP
06-06-2019 11:59 AM - edited 06-07-2019 05:54 AM
I have everything set, except it gives me an error for installing the IPsec CA certificate. The other 3 installed and worked just fine. IPSEC Device, EAP Device, and EAP CA worked great. Just the IPSec CA won't upload/install. I've tried two different certs. I've ran OpenSSL as an administrator. Nothing is working for this last cert install.
OUTPUT BELOW:
TFTP IPSEC CA cert transfer starting.
TFTP receive complete... installing Certificate.
Error installing certificate.
06-07-2019 06:00 AM - edited 06-07-2019 06:01 AM
before installing cert, can you enable debug transfer all enable and debug pm pki enable and install again and paste the debug output.
06-07-2019 06:36 AM
(Cisco Controller) >debug transfer all enable
(Cisco Controller) >debug pm pki enable
(Cisco Controller) >*emWeb: Jun 07 09:35:23.142: [PA] file name=
*emWeb: Jun 07 09:35:23.142: [PA] total size=0
*TransferTask: Jun 07 09:35:23.142: [PA] Memory overcommit policy changed from 0 to 1
*TransferTask: Jun 07 09:35:23.142: [PA] RESULT_STRING: TFTP IPSEC CA cert transfer starting.
*TransferTask: Jun 07 09:35:23.142: [PA] RESULT_CODE:1
*TransferTask: Jun 07 09:35:27.157: [PA] TFTP: Binding to remote=172.21.30.136
*TransferTask: Jun 07 09:35:27.180: [PA] TFP End: 11686 bytes transferred (0 retransmitted packets)
*TransferTask: Jun 07 09:35:27.180: [PA] tftp rc=0, pHost=172.21.30.136 pFilename=./wlcIPSecCACert.pem
pLocalFilename=cert.p12
*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_STRING: TFTP receive complete... installing Certificate.
*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_CODE:13
*TransferTask: Jun 07 09:35:27.195: [PA] Adding cert (11594 bytes) with certificate key password.
*TransferTask: Jun 07 09:35:27.195: [PA] sshpmCheckCaCertBasicConsrtaints: CA Certificate basic constraint check failed at depth 0
*TransferTask: Jun 07 09:35:27.195: [PA] Add IPSEC CA certificate: Error checking basic constraints (verify: YES) IPSEC CA certificate chain
*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_STRING: Error installing certificate.
*TransferTask: Jun 07 09:35:27.195: [PA] RESULT_CODE:12
*TransferTask: Jun 07 09:35:27.195: [PA] Memory overcommit policy restored from 1 to 0
06-07-2019 06:46 AM
Hi @craigshawm6 ,
Ensure that certificate you're installing is having the complete chain.
06-07-2019 06:49 AM
Not sure how to do that exactly. I followed the exact same process for the other 3 certs that were installed on the wlc.
06-07-2019 08:23 AM
06-07-2019 08:26 AM
I see three different "begin certificate" when I opened it in notepad. Each has it's corresponding "end certificate" as well.
06-07-2019 11:37 AM
06-07-2019 11:46 AM - edited 06-07-2019 12:02 PM
All three certs checked good on that link. Everything looks on the up and up. It just won't install.
What will it affect not having the IPSec CA Cert installed?
06-10-2019 08:13 AM
So what is the effect of not having the IPSec CA cert on the 5520? The other 3 certs, IPSec Device, EAP CA, and EAP Device, installed just fine.
06-10-2019 09:14 AM
07-08-2019 10:15 PM
sorry for the late reply.
The WLC uses IPSec to protect traffic to Radius server and syslog server.
you don't necessarily have to use it, but its off course recommended and I think its mandatory for CC compliance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide