cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1570
Views
7
Helpful
8
Replies

Cisco 5520 WLC WebAdmin Cert

Chris Terry
Level 1
Level 1

I'm trying to install a WebAdmin cert for a Cisco WLC 5520 version 8.5.151.

I generated the CSR via CLI and had it signed. I uploaded the .pem file to the controller. It's returning a certificate error of NET::ERR_CERT_COMMON_NAME_INVALID when visiting the webadmin login page. I entered the FQDN in the common name when I generated the CSR, and the FQDN is in DNS and resolves.

Is there something that would fix this issue?

1 Accepted Solution

Accepted Solutions

Chris Terry
Level 1
Level 1

I was able get a working/valid cert. I had to use openssl. My certificate authority needed the SAN entry. Generating a CSR on the WLC doesn't have an option for SANs.

View solution in original post

8 Replies 8

marce1000
VIP
VIP

 

 - FYI : https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/215425-troubleshoot-certificate-installation-on.html

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jagan.chowdam
Spotlight
Spotlight

Once certificate installed, did you reboot the controllers? 

Have you updated your DNS with the entry of the information on the Virtual interface?

CJ

/*Please rate all useful responses*/

Hi CJ,

Can you be more specific? Does there need to be a DNS entry for the virtual IP, or are you referring to the DNS Host Name field under the Virtual Interface settings? Will it be the same hostname that would be set for the management IP, or would it be a different name that would be included as a SAN in the cert?

Rich R
VIP
VIP

Generally speaking as long as you follow the instructions to the letter here https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html it should just work.
We don't use the WLC to generate the CSR - we use openssl.
Our DNS entry = CN = first SAN entry = WLC virtual hostname
And the DNS entry resolves to the WLC virtual IP.
That has worked reliably for us for years.

From the link above:
Note: It is important to provide the correct Common Name. Ensure that the host name that is used to create the certificate (Common Name) matches the Domain Name System (DNS) host name entry for the virtual interface IP address on the WLC and that the name exists in the DNS as well. Also, after you make the change to the Virtual IP (VIP) interface, you must reboot the system in order for this change to take effect.

Hi Experts,

I had a a little bit different query but in connection to this topic itself.

So, in my case I was successfully able to apply third party CA signed cert on WLC 5520 and all works on https FQDN connection. CSR was generated with FQDN name in CN field via openssl. So, now https connection to WLC mgmt IP is non-cert checked session, and https to WLC FQDN is cert checked secure session. How to not allow https to WLC IP directly and cease it off post the WLC FQDN session works fine with third party CA signed cert.

There's no easy way to that.  It would require filtering the TLS header for the SNI field and allowing the FQDN SNI while dropping the IP SNI.  But TLS 1.3 introduces encrypted SNI so eventually even that won't be possible but for today if you wanted to do that for 5520 that's how you would do it.

Otherwise you just need to educate your users or apply policy to their devices blocking access to the direct IP URL.

Chris Terry
Level 1
Level 1

I was able get a working/valid cert. I had to use openssl. My certificate authority needed the SAN entry. Generating a CSR on the WLC doesn't have an option for SANs.

Thanks for providing the solution.  This helps the community and those whom run into the same issue.

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card