06-03-2022 06:28 AM
Hello. I have a customer who wants to install a Godaddy cert on their 2504 WLC. I am trying to do it via CLI and it keeps failing. A debug shows a message about password but Godaddy has confirmed there is no password. This is quite misleading and I am not sure what to try next. I followed the guide and set the type to webadmin cert. You can see that it transfers the cert fine from the TFTP server.
My next theory... I found that the .zip file provided by Godaddy to my customer contains three files. Only one is a PEM file and the other are security certificate files. I viewed the PEM contents and there is only one cert in it. An SSL cert should have three correct?
From what I understand I am to only upload a single PEM file to the WLC. Does this mean I need to combine all three into a single PEM?
*TransferTask: Jun 02 18:13:03.002: RESULT_STRING: TFTP Webadmin cert transfer starting.
TFTP Webadmin cert transfer starting.
*TransferTask: Jun 02 18:13:03.002: RESULT_CODE:1
*TransferTask: Jun 02 18:13:07.037: TFTP: Binding to remote=10.170.2.16
*TransferTask: Jun 02 18:13:07.215: TFP End: 2406 bytes transferred (0 retransmitted packets)
*TransferTask: Jun 02 18:13:07.215: tftp rc=0, pHost=10.170.2.16 pFilename=./webadmincert_WLC.pem
pLocalFilename=cert.p12
*TransferTask: Jun 02 18:13:07.263: RESULT_STRING: TFTP receive complete... installing Certificate.
*TransferTask: Jun 02 18:13:07.263: RESULT_CODE:13
*TransferTask: Jun 02 18:13:07.264: Adding cert (2386 bytes) with certificate key password.
*TransferTask: Jun 02 18:13:07.272: RESULT_STRING: Error installing certificate.
*TransferTask: Jun 02 18:13:07.273: RESULT_CODE:12
*TransferTask: Jun 02 18:13:07.273: Memory overcommit policy restored from 1 to 0
Solved! Go to Solution.
06-03-2022 02:50 PM - edited 06-03-2022 02:52 PM
When you generate a CSR basically you are generating a public private key pair, the private key remain on the device where you generate CSR (your WLC), the public key with few additional information about your organization (which you are calling as CSR) is what you are sending to godadddy to sign.
They will send you signed certifate and root certifate, before installing open the pem file in a notepad and make sure it has all certs. Each cert will start with “beginning of cert” and end with “end of cert”.
to see actual cert you can open the text in a separate notepad one at a time and rename it with .crt extension and open it like a normal cert and verify thing like CN,serial, expiration date etc if you like.
06-03-2022 07:00 AM
Ehayric1320,
This is the document you are using to create the certs? If not I recommend following the steps outlined here.
06-03-2022 09:43 AM - edited 06-03-2022 09:43 AM
I did not create the certs, my customer did and I am just trying to help them install it. I am not understanding why I need to create a CSR when I already have the certs from Godaddy.Does the CSR give me something else I need? The link you provided says I have to provide the CSR to the third party to sign.
Why would I need to hand it over to the third party for signing if the third part has already created the certs? Also, Godaddy confirmed there is no password so that debug message is misleading.
"You then have to hand over this CSR to your third-party signing authority"
06-03-2022 10:56 AM
Ok... so I am not sure what my customer generated but Godaddy has told me that once I give the CSR to them they should then give me a single full chain PEM file back.
Once I receive that PEM should that be all I need or do I need something else?
06-03-2022 02:50 PM - edited 06-03-2022 02:52 PM
When you generate a CSR basically you are generating a public private key pair, the private key remain on the device where you generate CSR (your WLC), the public key with few additional information about your organization (which you are calling as CSR) is what you are sending to godadddy to sign.
They will send you signed certifate and root certifate, before installing open the pem file in a notepad and make sure it has all certs. Each cert will start with “beginning of cert” and end with “end of cert”.
to see actual cert you can open the text in a separate notepad one at a time and rename it with .crt extension and open it like a normal cert and verify thing like CN,serial, expiration date etc if you like.
06-08-2022 05:32 AM
Got the full chain cert back from Godaddy after generating the CSR on the WLC itself. Went to install it and received an error about the private key. I shouldn't need to use OpenSSL to combine the chained cert with the private key should I? I would think the WLC already knows about the private key. The Cisco troubleshooting guide mentions this error but only says to be sure the WLC wasn't reloaded which it hasn't been so the key shouldn't be lost.
https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/215425-troubleshoot-certificate-installation-on.html
*TransferTask: Apr 21 05:02:34.768: Add Cert to ID Table: No Private Key
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide