cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19132
Views
5
Helpful
8
Replies

error installing certificate - help

Hi


I am trying to install a webauth certificate on a WLC (5508 6.0.188).

I followed the "Generate CSR for Third-Party Certificates and  Download Unchained Certificates to the WLC" document.

But when I try to upload the .pem file i get "the" "error installing certificate" promt.


I did not have any errors using OpenSSL.


Is there any debug commands that can help clearify the issue.

The Solution provided in this discussion has been added in the following Blog:-

https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/2011/11/26/generate-csr-for-third-party-cert-and-download-unchained-cert-on-wireless-lan-controller-wlc


1 Accepted Solution

Accepted Solutions

WaynePlotkin
Level 1
Level 1

I was having the same problem and worked on it for probably 8 hours trying numerous different solutions and this is what fixed it for me.

  1. The OpenSSL versions available from www.openssl.org do not create a final.pem that work with the WLC.
  2. I downloaded OpenSSL using this link http://www.ingate.com/files/Win32OpenSSL-0.9.6-1.0.zip and installed into C:\OpenSSL (It tries to install to program files, install location doesn't matter I just like it on the root of C)
  3. I then followed all of the steps outline on Cisco.com http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  4. Uploaded the final.pem file and it install without any problems.
  5. My Cert was purchased from RapidSSL I don't know if that matters or not.

This was a renewal cert, so it was my second time install a cert to my WLC and I made the mistake of not keeping my original copy of OpenSSL that worked for me the first time.  Don't make the mistake I made and KEEP a copy of the OpenSSL version that works for you.  That will make cert renewal much easier for you.

View solution in original post

8 Replies 8

WaynePlotkin
Level 1
Level 1

I was having the same problem and worked on it for probably 8 hours trying numerous different solutions and this is what fixed it for me.

  1. The OpenSSL versions available from www.openssl.org do not create a final.pem that work with the WLC.
  2. I downloaded OpenSSL using this link http://www.ingate.com/files/Win32OpenSSL-0.9.6-1.0.zip and installed into C:\OpenSSL (It tries to install to program files, install location doesn't matter I just like it on the root of C)
  3. I then followed all of the steps outline on Cisco.com http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  4. Uploaded the final.pem file and it install without any problems.
  5. My Cert was purchased from RapidSSL I don't know if that matters or not.

This was a renewal cert, so it was my second time install a cert to my WLC and I made the mistake of not keeping my original copy of OpenSSL that worked for me the first time.  Don't make the mistake I made and KEEP a copy of the OpenSSL version that works for you.  That will make cert renewal much easier for you.

You legend!!! Worked a treat, the only thing I did differently was to run the OPENSSL program as an administaror (right click, run as..)

For furture searches I have included this link .. I did a complete step by step process with screen shots ...

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

leejohns
Cisco Employee
Cisco Employee

Open SSL v 1.x seems to cause issues. I know I have always used v0.9.8.  I have also asked that the CSR doc have notes added to them mentioning issues with 1.x.

Thanks,

Lee

leejohns
Cisco Employee
Cisco Employee

FYI, I just checked the chained and unchaing CSR doc for the WLC and both do now contain a note about using v0.9.8:

Generate a CSR

Complete these steps in order to generate a CSR:

  1. Install and open the OpenSSL application. In Windows, by default, openssl.exe is located at C:\ > openssl > bin.

    Note: Cisco recommends that you use OpenSSL v0.9.8 for Windows.

Lee

ERIC BARNETT
Level 1
Level 1

OpenSSL 1.0 absolutely didn't work for me.  My RapidSSL cert only installed under 0.98.  Thanks for the help!

Vinay Sharma
Level 7
Level 7

Hello All,

Thanks for sharing this useful information. I have added all this information and created a short Blog so that all CSC customers will be able to use it.

https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/2011/11/26/generate-csr-for-third-party-cert-and-download-unchained-cert-on-wireless-lan-controller-wlc

Thanks,

Vinay Sharma

Community Manager- Wireless

Thanks & Regards

Rob Simkins
Level 1
Level 1

One more thing....

Assuming we're using Windows version, the latest 0.9.8 binaries have a quirky difference in the way they reference the config file. 

Pre 0.9.8h uses openssl.cnf

0.9.8h onwards uses openssl.cfg

However, the error msg still says its looking for "/path/openssl.cnf" for the latest versions - slightly confusing...

Add the command "-config openssl.cfg" for later versions

p.s. Hello Grev!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: