Cisco Wireless 5508 - Web authentication

deanshaw35 · ‎12-01-2014

Hi

I am attempting to load a Thawte third party certificate onto a WLC5508.

I used OpenSSL but for some reason the chained Certificate wouldn't load onto the WLC.

One of the documents I have used indicates the Cert should be Apache compatible with SHA1 encryption.

Unfortunately Thawte will not provide a Cert with less than SHA256

Can someone please advise me if SHA1 is still a requirement on the latest WLC 7.6 software?

Saurav Lodh · ‎12-02-2014

SHA2 should be supported

https://supportforums.cisco.com/document/102151/certificate-signing-requests-wlc-open-ssl

deanshaw35 · ‎12-02-2014

Thanks for your comments - I am using OpenSSL 0.9.8zc

The Certificate Authority is Thawte. The Cert option I selected was ApacheSSL but there was no option for SHA2 - only SHA256. I am trying a second time with a chained cert..Hopefully this time it will work.I am suprised at how difficult the process seems to be..

George Stefanick · ‎12-02-2014

Sha2 includes SHA256

The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

deanshaw35 · ‎12-02-2014

Thanks George - I didn't know that - much appreciated..

George Stefanick · ‎12-02-2014

No worries .. If any of this is helpful don't be afraid to support the rating system :)

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎12-02-2014

I don't know if this is your issue. When I used OpenSSL 1.x something it failed each time. I spent all day till I read this. I tried a lower rev and worked the first time ..

Again, not sure if this is your issue. But wanted to throw this in there ..

Install and open the OpenSSL application. In Windows, by default, openssl.exe is located at C:\ > openssl > bin.
Note: OpenSSL 0.9.8 is required as the WLC does not currently support OpenSSL 1.0.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Olof Wiking · ‎12-07-2014

Hi

We are having the same problem. From what we have seen Thawte ended their support for SHA-1 30 october this year. We were told that if we wanted a sha-1 certificate we had to upgrade our account to enterprice at a higher cost.

Strangely enough we managed to install the certificate with sha-256 on some of our controllers with the software version 7.0.230.0. That was an older 4402 and a WISM1 blade.

On our 5508's with 7.6.120.0 it didn't work.

Its strange that Cisco doesnt have support for sha-256 since several webbrowser will stop their support of sha-1.

http://www.zdnet.com/article/google-accelerates-end-of-sha-1-support-certificate-authorities-nervous/

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

Below is a text from Thawtes website. Are there a way where we can use sha-1 for the root certificate and still use sha-256 for intermediate and device?

We recommend the default option, SHA-256 for the certificate and SHA-1 for the root CA, for most SSL certificate uses. Nearly all browsers and applications support the SHA-1 root CA, so most browsers and applications can connect to your site.

Note that using SHA-1 for the root CA is secure and compliant, because the root CA is verified by means other than the signature hash algorithm.