06-07-2022 04:14 AM
Hello people,
Does anyone how can I generate a self signed certificate on my Cisco 9800 WLC for web admin?
I'm using a 16.12.2s release and I can generate the RSA key pair with GUI or via CLI, but when I create the trustpoint and I set the rsa keypair plus the Subject name and other values it seems that the trustpoint it's empty:
My-9800-WLC# show crypto pki trustpoints
Trustpoint my-self-signed-cert:
The trustpoint it's configured like this:
My-9800-WLC(ca-trustpoint)#show
enrollment retry count 999
enrollment retry period 1
subject-name C=IT, ST=Italy, L=Milan, O=MyORG, OU=MyORG IT, CN=myorg.local
subject-alt-name myorg.local
revocation-check none
rsakeypair self-signed-key-test
hash sha1
How can I generate a self-signed certificate via CLI or GUI?
Thanks
06-07-2022 05:52 AM
06-07-2022 09:30 AM - edited 06-07-2022 09:30 AM
16.12.X code is bit old, suggest to upgrade to latest 17.3.3
follow below guide for certificate : ( same way you can sign local CA instead of 3rd party) - Hope that help you.
06-07-2022 11:58 AM
As @balaji.bandi mentioned please upgrade your WLC to the latest Cisco TAC recommended code. You can find it here
Recommended Cisco IOS XE Releases for Catalyst 9800 Wireless LAN Controllers - Cisco
Basically it depends on the AP model's registered to your WLC, if you have any Wave1 AP's latest recommended code is 17.3.5a CCO image + SMU, if you have all WiFi6 AP's then you can upgrade to 17.6.3.
If you have physical controller it is recommended that you upgrade the ROMMON to the latest recommended release as well.
If you are looking for Self signed certificate for CAPWAP between AP to WLC then follow the below;
● Delete the certificates which were copied along with the configuration. To do this, first check the existing certificates using the command “show crypto pki trustpoint”
● Delete the existing certificate authority “WLC_CA”: no crypto pki server WLC_CA
● Delete existing device certificates: no crypto pki trustpoint "<hostname>_WLC_TP"
● Create a new SSC for the management interface using the exec command: wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <password>
If you need to install certificate in 9800 for any other purpose it is covered in the below article
Generate and Download CSR Certificates on Catalyst 9800 WLCs - Cisco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide