Solved: Help!!! Need Certificate Renewal Steps on WLC 9800

_dmunozz_ · ‎10-14-2021

Hi everyone,

I'm looking for instructions on how to renew a cert that will be expiring on my wireless controller next week. I have read all the guides that tell you how to install a 3rd party cert, how to generate and download a CSR, etc.

But no guide will tell you anything about cert renewal....

Any help on this matter is appreciated

Scott Fella · ‎10-15-2021

Yes that is correct. Just document your steps so it’s easy next time. We have various other devices that we need to do that every year.

-Scott
*** Please rate helpful posts ***

View solution in original post

balaji.bandi · ‎10-14-2021

is this Internal CA or External ?

if the same provider get the new Cert and install ( you do not need CSR) (not done on Cat 9800, but WLC 8500 other works same way?)

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

_dmunozz_ · ‎10-14-2021

Balaji,

It's an external CA. Need it for Web admin and web authorization.

I don't do certificates normally but can follow along a good guide.....where there is available

Scott Fella · ‎10-14-2021

From my experience, you need to upload a new certificate. It’s not like a Windows machine or web server that you can renew. Generate a new CSR and provide that to the CA.

-Scott
*** Please rate helpful posts ***

_dmunozz_ · ‎10-15-2021

Thanks for the reply Scott,

I guess will need to create a new trustpoint as well and basically follow the steps as if it was a new install.....

Scott Fella · ‎10-15-2021

Yes that is correct. Just document your steps so it’s easy next time. We have various other devices that we need to do that every year.

-Scott
*** Please rate helpful posts ***

_dmunozz_ · ‎10-15-2021

Scott,

Just one more question, Do I wait until the current cert expires to do the new cert? Since I have to start over, I don't want to interrupt wireless services for current users.

I'm asking because, If I have to re-key my new cert, i'm guessing that will invalidate my current cert, right?

Scott Fella · ‎10-15-2021

I wouldn’t wait too long just in case you have issue with your CA or the cert provided. You can always add the certificate and later change the trustpoint pointing to the web admin or web auth later.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎10-15-2021

I just tested this on my lab 9800's using an internal CA and worked just fine. I used the GUI as it seems to have a better workflow for me. The only thing is that you will need to use the cli to import the device, intermediate(s), and root ca.

Generate and Download CSR Certificates on Catalyst 9800 WLCs - Cisco

-Scott
*** Please rate helpful posts ***

_dmunozz_ · ‎10-15-2021

So.... CLI is the only way to import the cert?

I thought you could it all from the GUI as long as you were using versions 17.3.1 and above....which is what I have on my controller.

Thanks, anyways. I really appreciate the info you have shared.

Scott Fella · ‎10-15-2021

You can if there are no intermediate ca's. If you have a root and a device certificate, you can use the GUI. I think most external CA's have an intermediate.

-Scott
*** Please rate helpful posts ***