Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4261
Views
5
Helpful
4
Replies

Installing a WebAuth Certificate for local authentication

Go to solution
rasmus.elmholt
Level 7
Level 7

‎11-09-2018 12:14 PM - edited ‎07-05-2021 09:26 AM

Hi

 

I am having some problems with installing a star-certificate for WebAuth on a WLC 3504.

I have configured the WLC for local webauth and clients will get the webauth page, but gets a SSL error.

 

I have configured the virtual interface to using a FQDN as descibed here: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010011101.html

 

Then I converted the star certificate from pfx format to pem(using openssl version 0.9.8) and appended the intermediate and root CA certificate in the file from:https://knowledge.digicert.com/generalinformation/INFO4033.html

Just as they describe in Step 2 - Option B here:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

 

But when I tried to upload the certificate I keep getting an error:

TFTP receive complete... Installing Certificate.
*sshpmLscTask: Nov 09 20:04:19.297: sshpmLscTask: LSC Task received a message 4 
*TransferTask: Nov 09 20:04:24.265: Add WebAuth Cert: Adding certificate & private key using password ******
*TransferTask: Nov 09 20:04:24.265: Add ID Cert: Adding certificate & private key using password ******
*TransferTask: Nov 09 20:04:24.265: Add Cert to ID Table: Adding certificate (name: bsnSslWebauthCert) to ID table using password *******
*TransferTask: Nov 09 20:04:24.265: Add Cert to ID Table: Decoding PEM-encoded Certificate (verify: YES)
*TransferTask: Nov 09 20:04:24.265: Decode & Verify PEM Cert: Cert/Key Length was 0, so taking string length instead
*TransferTask: Nov 09 20:04:24.265: Decode & Verify PEM Cert: Cert/Key Length 6261 & VERIFY
*TransferTask: Nov 09 20:04:24.267: Decode & Verify PEM Cert: X509 Cert Verification return code: 0
*TransferTask: Nov 09 20:04:24.267: Decode & Verify PEM Cert: X509 Cert Verification result text: unable to get local issuer certificate
*TransferTask: Nov 09 20:04:24.267: Decode & Verify PEM Cert: Error in X509 Cert Verification at 0 depth: unable to get local issuer certificate
*TransferTask: Nov 09 20:04:24.268: Add Cert to ID Table: Error decoding (verify: YES) PEM certificate
*TransferTask: Nov 09 20:04:24.268: Add ID Cert: Error decoding / adding cert to ID cert table (verifyChain: TRUE)

 

When I run "openssl verify final.pem" I get something like the same error but I cannot figure out why.

error 20 at 0 depth lookup:unable to get local issuer certificate

 

I am stuck right now so any input would be appreciated.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rasmus.elmholt
Level 7
Level 7

‎11-12-2018 06:37 AM - edited ‎11-12-2018 08:06 AM

I needed to use the SHA-1 certificate ROOT for my wildcard certificate to make this work.
And now everything works as expected.
Tried the conversion both with openssl version 0.9.8 and 1.0.1t and both worked.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rps-Cheers
VIP
VIP

‎11-10-2018 09:50 AM

Hi ,

its look like the intermediate CA is incorrect,maybe you can use openssl tools of other version,and retry it. i have occur the same issue before,but we cannot fixed it ...
waiting for your good news
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Go to solution
rasmus.elmholt
Level 7
Level 7

‎11-12-2018 06:37 AM - edited ‎11-12-2018 08:06 AM

I needed to use the SHA-1 certificate ROOT for my wildcard certificate to make this work.
And now everything works as expected.
Tried the conversion both with openssl version 0.9.8 and 1.0.1t and both worked.

0 Helpful

Go to solution
Rps-Cheers
VIP
VIP
In response to rasmus.elmholt

‎11-12-2018 07:18 AM

it's a good news!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
0 Helpful

Go to solution
russell.splain
Level 1
Level 1
In response to rasmus.elmholt

‎02-03-2019 08:49 AM

Hello There,

 

Thank you for stating the exact same problem I'm having, and for stating that you solved it.

Would you be able to share the exact steps you took to solve it?

 

I too and trying to convert a .pfx file which contains a wildcard certificate for my internal systems.  I'm running into the same exact errors you displayed in the WLC and in the OpenSSL very output.  You seem to indicate that you instead used a SHA-1 ROOT certificate, for your wildcart cert to solve this.  Can you describe exactly what was involved in that?  Do I abandon trying to use the .pfx file which contains my wildcard cert, or are you implying that we go about producing the .pxf file (wildcard cert) using a different process?  Tank you for any insights or steps you can display. -Russ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card