I bumbled around for a while trying to get this worked out and thought I'd post my results here.  Search engine results were not clear as none of them tied together the entire process and I had a hard time finding the appropriate command to enable interfaces on the secondary after breaking HA. 

We wanted Web Auth for our guest users and employees with personal equipment.  An SSL cert is required for the WebAuth landing page, unless  WebAuth SecureWeb is disabled (under Management - HTTP-HTTPS), however this requires a controller reload/restart/reset as well.  In our situation I don't think it would have mattered, but if one had a form that collected information, they may want traffic secured.  Turning off WebAuth SecureWeb and using wireless isolation might be a good solution as well.

Generating the Certificate

For certificate generation, I installed the *.mydomain.org wildcard cert onto a computer, then used the DigiCert utility (https://www.digicert.com/util/DigiCertUtil.zip) to export the certificate to PFX with the box checked so the certificates are chained.  When using the resulting certificate, I see the wildcard, intermediate and root certificates chained together.

Per steps from Cisco TAC - OpenSSL is used to convert PFX to CRT, rename to PEM and, convert to a P12, and convert back to a PEM. 

https://supportforums.cisco.com/document/12257921/wildcard-certificate-installation-wlc-wireless-lan-controller

I'm guessing we could have done the first step with OpenSSL as documented by Cisco and skipped the rest as I reviewed the files later, I see the contents are very similar. 

    openssl> pkcs12 -in c:\temp\wc_domain_org.pfx -out wc_domain_org.cer -nodes

    Since the DigiCert output has everything chained and OpenSSL changed to CER, rename the resulting CER to PEM and attempt import to WLC would be a test,

Installing the Certificate

The certificate can be installed on the Primary without breaking High Availability, but still requires a restart of the Primary to complete the change.  Navigate to Security -> Web Auth -> Certificate.

Installing a certificate on the Secondary requires breaking High Availability.  When HA is broken, the controllers restart simultaneously.

As the port IP addresses are replicated, breaking HA disables ports on the secondary.  Connect a console cable to the secondary as you will need to enable ports to upload the certificate.

Step 1

Disable HA on the primary in CLI (or turn off AP SSO via web admin console: Controller -> Redundancy -> Global Configuration - SSO Disabled)

    >config redundancy mode disable

(When I tried this from the GUI, a message is displayed indicating the Secondary will restart (got my hopes up), however both units restarted as expected - this was on some 7.6 code).

Step 2

When HA WLC restarts, change IP address on management interface to something unused on the subnet.

    >config interface address management 10.20.30.40 255.255.254.0 10.20.30.1

Step 3

Enable ports

    >config port adminmode all enable

(one could enable only the management port here)

Once this is done, access the web interface, Navigate to Security -> Web Auth -> Certificate, check the box to download the SSL certificate and fill in the fields.  I have the SolarWinds TFTP server installed on my computer and used that ip/path.

Step 4

To Restore HA, on both units,  execute:

THIS MUST BE DONE WITHIN MOMENTS OF EACH OTHER ON BOTH UNITS!

    >config redundancy mode sso

I imagine one could do this in CLI on one and GUI on the other or both in GUI.

I would enjoy feedback on this. If you are aware of ways to make the process easier or have other ideas, please share.  Putting it all in one place makes it easier when I need a memory jog to do this again in 3 years.

Oh, and don't unplug the HA cable during this - if you do, the Secondary will boot into Maintenance Mode.

Best Regards,

David