Solved: Re: Importing *.domain .CRT in to WLC for Web Auth

alexmcdonald87 · ‎04-07-2011

Hi All,

I've been struggling to import a certificate that we already have on to our WiSMs, I've reviewed the documentation located here: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml But being fairly unexperienced with openssl I've been unable to get our certificate to work, if it's even possible. We don't really want to purchase another certificate because we already have a certificate for *.domain.com in the .CRT format which is signed by a certificate authority. All of the documentation online refers to purchasing a new certificate, is this the only way I can get it to work? Since we already have a certificate for *.domain.com I would prefer create a new DNS entry for wifi.domain.com and link that to the virtual ip. I've tried converting the .crt to .pem with open ssl but that didn't work, this is the output from the wism when importing the certificate:

(WiSM-slot6-1) >transfer download start
Mode............................................. TFTP Data
Type........................................ Site Cert
TFTP Server IP................................... x.x.x.x
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ /
TFTP Filename.................................... STAR_domain_com.pem
This may take some time. Are you sure you want to start? (y/N) y
TFTP Webauth cert transfer starting.
TFTP receive complete...
Installing Certificate.
Error installing certificate.

We also have the certificate in a -bundle format if that is any help, the output from the controller isn't really that helpful is there anyway to find out more about what is wrong? Any help would be greatly appreciated.
Cheers,
Alex

Nicolas Darchis · ‎04-08-2011

I haven't tried it recently. But I'm afraid of this one :

CSCsy88149 Chained certificate can not have Wildcard * character in hostname

Even if bought at verisign or any root CA, your cert has a good chance of being chained since they very often use an intermediate CA. I know wildcard certs are supported but this bug seems to say that it doesn't work for chained.

again, I didn't verify it mysefl

View solution in original post

Stephen Rodriguez · ‎04-08-2011

The cert type shouldn't be a site cert. should be webauth,

Cheers,
Steve

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Nicolas Darchis · ‎04-08-2011

I haven't tried it recently. But I'm afraid of this one :

CSCsy88149 Chained certificate can not have Wildcard * character in hostname

Even if bought at verisign or any root CA, your cert has a good chance of being chained since they very often use an intermediate CA. I know wildcard certs are supported but this bug seems to say that it doesn't work for chained.

again, I didn't verify it mysefl

alexmcdonald87 · ‎04-08-2011

That's unfortunate, thanks for the help anyway.

George Stefanick · ‎04-09-2011

if this is a chain DID you put them in the correct order?

I had the same issue and they certs werent in the proper order .. I blogged about about this ..

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________