Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
535
Views
15
Helpful
5
Replies

CN at SSL third party certificate Authority

gentjan
Level 1
Level 1

‎08-31-2022 09:52 AM

I need to be clarify related with CN name in SSL certificate that will be installed in  5520HA SSO WLCs.

The system name in primary controller is ERW-MOD-RAC3-MCC1-01,

I need to define the CN in Certificate signing request and I am not sure about the right CN name.

What is the CN name ?

What is the impact if the CN name is wrongly defined?

 

Labels:
0 Helpful
5 Replies 5

Rich R
VIP
VIP

‎09-02-2022 06:49 AM

The CN and the SAN (Subject Alternative Name) "DNS name" should both exactly match the FQDN which will be used to access the WLC.
For example ERW-MOD-RAC3-MCC1-01.mycompany.com

 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

gentjan
Level 1
Level 1
In response to Rich R

‎09-06-2022 11:25 PM

Thanks a lot for the answer, Can I have a clear idea what is the impact on the clients if the CN is wrongly defined within the CA and can be installed in the WLC is wrongly defined or WLC doesn't allow it to hap[pened?

0 Helpful

ammahend
VIP
VIP
In response to gentjan

‎09-06-2022 11:51 PM

If CN is wrong and certificate is installed on WLC, you might get issues accessing WLC webpage. If you are going local web auth the clients will get certificate error when being redirected to WLC. 

-hope this helps-

ammahend
VIP
VIP

‎09-06-2022 11:47 PM

CN (common name) is just an attribute, this common name typically represents the hostname of the server to which certificate is issued, if you want the same certificate to be issued to multiple servers you can use their name in SAN (subject alternative name) and have a single certificate instead of multiple certificate for multiple servers. Usually the limit is 5 but depends on the CA signing the certificate. 
If the CN is wrong but one of the SAN is still correct then I don’t think you will have any issue. But if you only have CN and it’s wrong, it means the certificate is issued to for wrong server, so when you do https://fqdn it will still show cert error, because the Requested hostname must match CN on certificate for the certificate to be validated. If you do run into this situation, change host name same as CN and update DNS record and I think you should be good, or just generate a new CSR with correct CN.

-hope this helps-

Rich R
VIP
VIP

‎09-11-2022 04:32 AM

Adding to what @ammahend has said as security gets stricter on clients some may still give a cert error but some will simply block the connection completely so the client will never be able to open the captive portal page at all.
If you want it to work the name used for https *must* match exactly to CN or SAN.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card