cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8076
Views
0
Helpful
11
Replies

Error installing 3rd party certificate to WLC

patoberli
VIP Alumni
VIP Alumni

Hello Together

I currently try to install a signed 3rd party certificate to my WLC running 7.0.253.3 for guest webauth. I tried various versions including the key but it always fails.

This is the debug output:

(WiSM-slot24-1) >transfer download start                                       

Mode............................................. TFTP 

Data Type........................................ Site Cert    

TFTP Server IP................................... 152.96.20.12

TFTP Packet Timeout.............................. 6

TFTP Max Retries................................. 2

TFTP Path........................................ /

TFTP Filename.................................... wlan-guest.domain.com.crt_ohne_chain.pem

This may take some time.

Are you sure you want to start? (y/N) y

*TransferTask: Mar 07 13:22:12.033: Memory overcommit policy restored from 1 to 0

*TransferTask: Mar 07 13:26:54.928: Memory overcommit policy changed from 0 to 1

*emWeb: Mar 07 13:26:55.069: Still waiting!  Status = 1

*TransferTask: Mar 07 13:26:55.083: RESULT_STRING: TFTP Webauth cert transfer starting.

TFTP Webauth cert transfer starting.

*TransferTask: Mar 07 13:26:55.084: RESULT_CODE:1

*emWeb: Mar 07 13:26:58.070: Still waiting!  Status = 2

*TransferTask: Mar 07 13:26:59.089: Locking tftp semaphore, pHost=152.96.20.12 pFilename=/wlan-guest.domain.com.crt_ohne_chain.pem

*TransferTask: Mar 07 13:26:59.089: Semaphore locked, now unlocking, pHost=152.96.20.12 pFilename=/wlan-guest.domain.com.crt_ohne_chain.pem

*TransferTask: Mar 07 13:26:59.089: Semaphore successfully unlocked, pHost=152.96.20.12 pFilename=/wlan-guest.domain.com.crt_ohne_chain.pem

*TransferTask: Mar 07 13:26:59.091: TFTP: Binding to local=0.0.0.0 remote=152.96.20.12

*TransferTask: Mar 07 13:26:59.104: TFP End: 1900 bytes transferred (0 retransmitted packets)

*TransferTask: Mar 07 13:26:59.106: tftp rc=0, pHost=152.96.20.12 pFilename=/wlan-guest.domain.com.crt_ohne_chain.pem

                        pLocalFilename=cert.p12

*TransferTask: Mar 07 13:26:59.107: RESULT_STRING: TFTP receive complete... Installing Certificate.

*TransferTask: Mar 07 13:26:59.107: RESULT_CODE:13

TFTP receive complete... Installing Certificate.

*emWeb: Mar 07 13:27:01.070: Still waiting!  Status = 2

*TransferTask: Mar 07 13:27:03.107: Adding cert (1884 bytes) with certificate key password.

*TransferTask: Mar 07 13:27:03.112: RESULT_STRING: Error installing certificate.

*TransferTask: Mar 07 13:27:03.112: RESULT_CODE:12

*TransferTask: Mar 07 13:27:03.112: ummounting: <umount /mnt/download/ >/dev/null 2>&1>  cwd  = /mnt/application

*TransferTask: Mar 07 13:27:03.164: finished umounting

Error installing certificate.

(WiSM-slot24-1) >

Any ideas? I tried it with chaining the root and also without.

Some tests I did, but which did not help:

#openssl pkcs12 -export -in wlan-guest.domain.com.crt.pem -inkey wlan-guest.domain.com.key -out All-certs.p12 -clcerts

#openssl pkcs12 -in All-certs.p12 -out wlan-guest.domain.com.crt_ohne_chain.pem

I have not set a password.

Thanks for help

Patrick

3 Accepted Solutions

Accepted Solutions

George Stefanick
VIP Alumni
VIP Alumni

I know the frustration .. I did a blog post on this very subject .. Did you copy and paste the cert chain correctly ?


http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html


Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

No.... Password is required. You will have to rerun the last few commands in which you put in a password.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella
Hall of Fame
Hall of Fame

Are you using OpenSSL v9.x V1.0 has some issues.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

11 Replies 11

George Stefanick
VIP Alumni
VIP Alumni

I know the frustration .. I did a blog post on this very subject .. Did you copy and paste the cert chain correctly ?


http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html


Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Thanks for the reply. As far as I can see it, yes I followed this. The only deviation I did, I did never enter a password. This should work too, or?

No.... Password is required. You will have to rerun the last few commands in which you put in a password.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

I tried it, I hope correct?

~/Desktop $ openssl pkcs12 -export -in wlan-guest.domain.com.crt_final_chain_komplett.pem -inkey wlan-guest.domain.com.key -out All-certs.p12 -clcerts -passin pass:PASSWORD -passout pass:PASSWORD

~/Desktop $ openssl pkcs12 -in All-certs.p12 -out finalcert.pem -passin pass:PASSWORD -passout pass:PASSWORD

MAC verified OK

~/Desktop

I also set the password on the controller, but it still won't work.    

Scott Fella
Hall of Fame
Hall of Fame

Are you using OpenSSL v9.x V1.0 has some issues.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

It is 1.0.1. Going to try an older version, stand by

Thanks for the help so far!

Yeah... That's why. I still use the v9.8.x of OpenSSL light.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

And bang, it worked!

Those are days where I simply dislike linux...

Anyway, used now openssl 0.9.8y instead of 1.0.1 and it worked now as it should.

Haha... See... Pretty simple:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

I already deleted my tests now, but while comparing my tests, the main difference between the two openssl versions was (if I remember correct) this string here (below the BEGIN LINE), which was not written in the 1.0.x version:

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,309B7173122XXXXX

Thanks for the info!

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card