Hey Leo, 

I realize the particular series WLC is EOL - and no more firmware releases.
But from what I'm reading so far (I'm still figuring it all out) - it looks like Cisco could just issue a cert to be uploaded to the unit. 

It also looks like the unit could just run in a "self-signed" or private CA mode. I just need to figure out the details. 

but thought I would ask if anyone else has this all figured out already since reboots are going to knock out existing installs. I can't think everyone upgraded off these just because they went EOL. 

let me know and thanks,

 -Ben

Hi Saikat,

Thanks for the response. -- I do know what the MIC certs are. Thanks.

If "the workaround" you mean is setting:

config ap cert-expiry-ignore mic enable
config ap cert-expiry-ignore ssc enable

That's not working. Specifically, it appears the AP is rejecting the WLC's SHA-2 cert (as shown above) while the WLC is accepting the MIC cert from the AP regardless of date as the documentation for 8.5 describes on pdf page 658.

If that's the workaround you mean - then it's broken because of the AP side.

If you look at the AP's config - it looks like the proper "allow expired" are in the config -- but the AP is still
rejecting the SHA-2 cert from the WLC based on date.

(Since I'm not a dev I'm not sure if the ones without the ignore instruction are intended)

crypto pki trustpoint cisco-m2-root-cert
 revocation-check none
 rsakeypair Cisco_IOS_M2_MIC_Keys
!
crypto pki trustpoint Cisco_IOS_M2_MIC_cert
 revocation-check none
 rsakeypair Cisco_IOS_M2_MIC_Keys
 match certificate ciscomic allow expired-certificate
!
crypto pki trustpoint airespace-old-root-cert
 revocation-check none
 rsakeypair Cisco_IOS_MIC_Keys
!
crypto pki trustpoint airespace-device-root-cert
 revocation-check none
 rsakeypair Cisco_IOS_MIC_Keys
!
crypto pki trustpoint Cisco_IOS_MIC_cert
 revocation-check none
 rsakeypair Cisco_IOS_MIC_Keys
 match certificate ciscomic allow expired-certificate
!
crypto pki trustpoint virtual_wlc_trust_point
 revocation-check crl
 match certificate vwlcssc allow expired-certificate
!
crypto pki certificate map ciscomic 10
 issuer-name co cn = cisco manufacturing ca, o = cisco systems
!
crypto pki certificate map vwlcssc 1
 subject-name co o = cisco virtual wireless lan controller
!
crypto pki certificate chain cisco-m2-root-cert
!
 <certs deleted for brevity>
!
crypto pki certificate chain virtual_wlc_trust_point

This feels more like a bug after having set something that's supposed to ignore the expiration date. 

As for the LSC, the 8.5 Admin docs say right on pdf page 660:

You can use an LSC if you want your own public key infrastructure (PKI) to provide better security, to have
control of your certificate authority (CA), and to define policies, restrictions, and usages on the generated
certificates.

The LSC CA certificate is installed on access points and controllers. You need to provision the device certificate
on the access point. The access point gets a signed X.509 certificate by sending a certRequest to the controller.
The controller acts as a CA proxy and receives the certRequest signed by the CA for the access point.

This implies  LSCs aren't just a solution for virtual WLCs as LSCs can "provide better security".

Also, if you can better explain the RADIUS method (or point to an authoritative document) --- as it reads like it doesn't need the MIC date to be valid. I could set up RADIUS for the various clients still using these controllers/APs.... 

In the end, I'm looking to fix what looks like a missed bug waiting to happen after the SHA-2 cert expired and the "ignore" feature doesn't cover it. And regularly resetting the clock is something clients/users are going to raise an eyebrow at. Not a good look for Cisco.

Let me know and Thanks,

-Ben