Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1058
Views
1
Helpful
6
Replies

CERTIFICATE_INVALID_EXPIRED Cisco 9800-CL

User24571
Level 1
Level 1

‎01-13-2025 06:31 AM

I have a problem with logs:

Jan 13 07:48:02.617: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 3D7B23) has expired. Validity period ended on 2024-11-23T08:00:03Z
Jan 13 08:48:02.703: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain validation has failed. The certificate (SN: 3D7B23) has expired. Validity period ended on 2024-11-23T08:00:03Z
Jan 13 08:48:02.795: %PKI-4-TRUSTPOOL_DOWNLOAD_FAILURE: Trustpool Download failed

I have a Cisco 9800-CL with 17.12.04 - SMU-PATCHED

How can I verify it? I have checked all the certificates and they seem to be up to date.

6 Replies 6

Flavio Miranda
VIP
VIP

‎01-13-2025 06:40 AM - edited ‎01-13-2025 06:42 AM

@User24571 

 Did you install certificate on the WLC or it is self-signed? 

There is a bug with similar behavior

https://bst.cisco.com/bugsearch/bug/CSCvz30488?rfs=qvlogin

 

0 Helpful

User24571
Level 1
Level 1
In response to Flavio Miranda

‎01-13-2025 06:45 AM

self-signed

0 Helpful

marce1000
Hall of Fame
Hall of Fame
In response to User24571

‎01-13-2025 07:14 AM

 

  - I would advise that you generate the self-signed certificate again :

    Ref: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html
     >...There are extra considerations needed for the 9800-CL as the virtual appliance doesn’t come with a Manufacture Installed Certificate. It needs a Self Signed Certificate (SSC) to  terminate CAPWAP tunnel from the AP.  Follow the steps below to generate an SSC for a 9800-CL:

  •       Delete the certificates which were copied along with the configuration. To do this, first check the existing certificates using the command “show crypto pki trustpoint”
  •       Delete the existing certificate authority “WLC_CA”: no crypto pki server WLC_CA
  •       Delete existing device certificates:
              no crypto pki trustpoint "<hostname>_WLC_TP"
  •       Create a new SSC for the management interface using the exec command:
              wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <password>

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Flavio Miranda
VIP
VIP
In response to User24571

‎01-13-2025 10:07 AM

@User24571 

 Did you do any change on the trustpool configuration of the WLC? 

A new WLC and with new IOS you should not have problem with certificate. 

Take a look on this guide

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-5/config-guide/b_wl_17_5_cg/m_locally_significant_certificates.html

 

0 Helpful

marce1000
Hall of Fame
Hall of Fame

‎01-13-2025 06:42 AM

 

 - Ref : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/trustpoints/b-configuring-trustpoints-on-cisco-catalyst-9800-series-controllers/m-troubleshoot-common-issues-for-certificate-configuration.html
        Look up the particular error and read on:

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

MHM Cisco World
VIP
VIP

‎01-13-2025 06:52 AM

Show wireless management trustpoint <<- share this 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card