Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6186
Views
0
Helpful
3
Replies

How can I generate self signed 9800 WLC cert for web admin

PythonUser777
Level 1
Level 1

‎06-07-2022 04:14 AM

Hello people,

 

Does anyone how can I generate a self signed certificate on my Cisco 9800 WLC for web admin?

 

I'm using a 16.12.2s release and I can generate the RSA key pair with GUI or via CLI, but when I create the trustpoint and I set the rsa keypair plus the Subject name and other values it seems that the trustpoint it's empty:

 

My-9800-WLC# show crypto pki trustpoints
Trustpoint my-self-signed-cert:

 

The trustpoint it's configured like this:

 

My-9800-WLC(ca-trustpoint)#show
enrollment retry count 999
enrollment retry period 1
subject-name C=IT, ST=Italy, L=Milan, O=MyORG, OU=MyORG IT, CN=myorg.local
subject-alt-name myorg.local
revocation-check none
rsakeypair self-signed-key-test
hash sha1

 

How can I generate a self-signed certificate via CLI or GUI?

 

Thanks

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎06-07-2022 09:30 AM - edited ‎06-07-2022 09:30 AM

16.12.X code is bit old, suggest to upgrade to latest 17.3.3

 

follow below guide for certificate : ( same way you can sign local CA instead of 3rd party) - Hope that help you.

 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎06-07-2022 11:58 AM

As @balaji.bandi mentioned please upgrade your WLC to the latest Cisco TAC recommended code. You can find it here

Recommended Cisco IOS XE Releases for Catalyst 9800 Wireless LAN Controllers - Cisco

Basically it depends on the AP model's registered to your WLC, if you have any Wave1 AP's latest recommended code is 17.3.5a CCO image + SMU, if you have all WiFi6 AP's then you can upgrade to 17.6.3.

If you have physical controller it is recommended that you upgrade the ROMMON to the latest recommended release as well.

If you are looking for Self signed certificate for CAPWAP between AP to WLC then follow the below;

●      Delete the certificates which were copied along with the configuration. To do this, first check the existing certificates using the command “show crypto pki trustpoint”

●      Delete the existing certificate authority “WLC_CA”: no crypto pki server WLC_CA

●      Delete existing device certificates: no crypto pki trustpoint "<hostname>_WLC_TP"

●      Create a new SSC for the management interface using the exec command: wireless config vwlc-ssc key-size 2048 signature-algo sha256 password 0 <password>

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#:~:text=register%20idtoken%20%3CTOKENID%3E-,There,-are%20extra%20considerations

If you need to install certificate in 9800 for any other purpose it is covered in the below article

Generate and Download CSR Certificates on Catalyst 9800 WLCs - Cisco

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card