Solved: Error installing 3rd party certificate to WLC

patoberli · ‎03-07-2013

Hello Together

I currently try to install a signed 3rd party certificate to my WLC running 7.0.253.3 for guest webauth. I tried various versions including the key but it always fails.

This is the debug output:

(WiSM-slot24-1) >transfer download start

Mode............................................. TFTP

Data Type........................................ Site Cert

TFTP Server IP................................... 152.96.20.12

TFTP Packet Timeout.............................. 6

TFTP Max Retries................................. 2

TFTP Path........................................ /

TFTP Filename.................................... wlan-guest.domain.com.crt_ohne_chain.pem

This may take some time.

Are you sure you want to start? (y/N) y

*TransferTask: Mar 07 13:22:12.033: Memory overcommit policy restored from 1 to 0

*TransferTask: Mar 07 13:26:54.928: Memory overcommit policy changed from 0 to 1

*emWeb: Mar 07 13:26:55.069: Still waiting! Status = 1

*TransferTask: Mar 07 13:26:55.083: RESULT_STRING: TFTP Webauth cert transfer starting.

TFTP Webauth cert transfer starting.

*TransferTask: Mar 07 13:26:55.084: RESULT_CODE:1

*emWeb: Mar 07 13:26:58.070: Still waiting! Status = 2

*TransferTask: Mar 07 13:26:59.089: Locking tftp semaphore, pHost=152.96.20.12 pFilename=/wlan-guest.domain.com.crt_ohne_chain.pem

*TransferTask: Mar 07 13:26:59.089: Semaphore locked, now unlocking, pHost=152.96.20.12 pFilename=/wlan-guest.domain.com.crt_ohne_chain.pem

*TransferTask: Mar 07 13:26:59.089: Semaphore successfully unlocked, pHost=152.96.20.12 pFilename=/wlan-guest.domain.com.crt_ohne_chain.pem

*TransferTask: Mar 07 13:26:59.091: TFTP: Binding to local=0.0.0.0 remote=152.96.20.12

*TransferTask: Mar 07 13:26:59.104: TFP End: 1900 bytes transferred (0 retransmitted packets)

*TransferTask: Mar 07 13:26:59.106: tftp rc=0, pHost=152.96.20.12 pFilename=/wlan-guest.domain.com.crt_ohne_chain.pem

pLocalFilename=cert.p12

*TransferTask: Mar 07 13:26:59.107: RESULT_STRING: TFTP receive complete... Installing Certificate.

*TransferTask: Mar 07 13:26:59.107: RESULT_CODE:13

TFTP receive complete... Installing Certificate.

*emWeb: Mar 07 13:27:01.070: Still waiting! Status = 2

*TransferTask: Mar 07 13:27:03.107: Adding cert (1884 bytes) with certificate key password.

*TransferTask: Mar 07 13:27:03.112: RESULT_STRING: Error installing certificate.

*TransferTask: Mar 07 13:27:03.112: RESULT_CODE:12

*TransferTask: Mar 07 13:27:03.112: ummounting: <umount /mnt/download/ >/dev/null 2>&1> cwd = /mnt/application

*TransferTask: Mar 07 13:27:03.164: finished umounting

Error installing certificate.

(WiSM-slot24-1) >

Any ideas? I tried it with chaining the root and also without.

Some tests I did, but which did not help:

#openssl pkcs12 -export -in wlan-guest.domain.com.crt.pem -inkey wlan-guest.domain.com.key -out All-certs.p12 -clcerts

#openssl pkcs12 -in All-certs.p12 -out wlan-guest.domain.com.crt_ohne_chain.pem

I have not set a password.

Thanks for help

Patrick

George Stefanick · ‎03-07-2013

I know the frustration .. I did a blog post on this very subject .. Did you copy and paste the cert chain correctly ?

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Scott Fella · ‎03-07-2013

No.... Password is required. You will have to rerun the last few commands in which you put in a password.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎03-07-2013

Are you using OpenSSL v9.x V1.0 has some issues.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

George Stefanick · ‎03-07-2013

I know the frustration .. I did a blog post on this very subject .. Did you copy and paste the cert chain correctly ?

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

patoberli · ‎03-07-2013

Thanks for the reply. As far as I can see it, yes I followed this. The only deviation I did, I did never enter a password. This should work too, or?

Scott Fella · ‎03-07-2013

No.... Password is required. You will have to rerun the last few commands in which you put in a password.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

patoberli · ‎03-07-2013

I tried it, I hope correct?

~/Desktop $ openssl pkcs12 -export -in wlan-guest.domain.com.crt_final_chain_komplett.pem -inkey wlan-guest.domain.com.key -out All-certs.p12 -clcerts -passin pass:PASSWORD -passout pass:PASSWORD

~/Desktop $ openssl pkcs12 -in All-certs.p12 -out finalcert.pem -passin pass:PASSWORD -passout pass:PASSWORD

MAC verified OK

~/Desktop

I also set the password on the controller, but it still won't work.

Scott Fella · ‎03-07-2013

Are you using OpenSSL v9.x V1.0 has some issues.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

patoberli · ‎03-07-2013

It is 1.0.1. Going to try an older version, stand by

Thanks for the help so far!

Scott Fella · ‎03-07-2013

Yeah... That's why. I still use the v9.8.x of OpenSSL light.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

patoberli · ‎03-07-2013

And bang, it worked!

Those are days where I simply dislike linux...

Anyway, used now openssl 0.9.8y instead of 1.0.1 and it worked now as it should.

Scott Fella · ‎03-07-2013

Haha... See... Pretty simple:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

patoberli · ‎03-07-2013

I already deleted my tests now, but while comparing my tests, the main difference between the two openssl versions was (if I remember correct) this string here (below the BEGIN LINE), which was not written in the 1.0.x version:

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,309B7173122XXXXX

Scott Fella · ‎03-07-2013

Thanks for the info!

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***