Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1232
Views
10
Helpful
5
Replies

Installing GoDaddy SSL Cert to WLC

Go to solution
ehayric1320
Level 1
Level 1

‎06-03-2022 06:28 AM

Hello. I have a customer who wants to install a Godaddy cert on their 2504 WLC. I am trying to do it via CLI and it keeps failing. A debug shows a message about password but Godaddy has confirmed there is no password. This is quite misleading and I am not sure what to try next. I followed the guide and set the type to webadmin cert. You can see that it transfers the cert fine from the TFTP server.

My next theory... I found that the .zip file provided by Godaddy to my customer contains three files. Only one is a PEM file and the other are security certificate files. I viewed the PEM contents and there is only one cert in it. An SSL cert should have three correct?

From what I understand I am to only upload a single PEM file to the WLC. Does this mean I need to combine all three into a single PEM?

*TransferTask: Jun 02 18:13:03.002: RESULT_STRING: TFTP Webadmin cert transfer starting.

TFTP Webadmin cert transfer starting.

*TransferTask: Jun 02 18:13:03.002: RESULT_CODE:1

*TransferTask: Jun 02 18:13:07.037: TFTP: Binding to remote=10.170.2.16

*TransferTask: Jun 02 18:13:07.215: TFP End: 2406 bytes transferred (0 retransmitted packets)

*TransferTask: Jun 02 18:13:07.215: tftp rc=0, pHost=10.170.2.16 pFilename=./webadmincert_WLC.pem

                                                                                                      pLocalFilename=cert.p12

*TransferTask: Jun 02 18:13:07.263: RESULT_STRING: TFTP receive complete... installing Certificate.

*TransferTask: Jun 02 18:13:07.263: RESULT_CODE:13

*TransferTask: Jun 02 18:13:07.264: Adding cert (2386 bytes) with certificate key password.

*TransferTask: Jun 02 18:13:07.272: RESULT_STRING: Error installing certificate.

*TransferTask: Jun 02 18:13:07.273: RESULT_CODE:12

*TransferTask: Jun 02 18:13:07.273: Memory overcommit policy restored from 1 to 0

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
ammahend
VIP
VIP
In response to ehayric1320

‎06-03-2022 02:50 PM - edited ‎06-03-2022 02:52 PM

When you generate a CSR basically you are generating a public private key pair, the private key remain on the device where you generate CSR (your WLC), the public key with few additional information about your organization (which you are calling as CSR) is what you are sending to godadddy to sign. 
They will send you signed certifate and root certifate, before installing open the pem file in a notepad and make sure it has all certs. Each cert will start with “beginning of cert” and end with “end of cert”.

to see actual cert you can open the text in a separate notepad one at a time and rename it with .crt extension and open it like a normal cert and verify thing like CN,serial, expiration date etc if you like. 

 

-hope this helps-

View solution in original post

5 Replies 5

Go to solution
dafriday
Cisco Employee
Cisco Employee

‎06-03-2022 07:00 AM

Ehayric1320,

 

This is the document you are using to create the certs?  If not I recommend following the steps outlined here.

  https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html#anc7

0 Helpful

Go to solution
ehayric1320
Level 1
Level 1
In response to dafriday

‎06-03-2022 09:43 AM - edited ‎06-03-2022 09:43 AM

I did not create the certs, my customer did and I am just trying to help them install it. I am not understanding why I need to create a CSR when I already have the certs from Godaddy.Does the CSR give me something else I need? The link you provided says I have to provide the CSR to the third party to sign. 

Why would I need to hand it over to the third party for signing if the third part has already created the certs? Also, Godaddy confirmed there is no password so that debug message is misleading.

"You then have to hand over this CSR to your third-party signing authority"

0 Helpful

Go to solution
ehayric1320
Level 1
Level 1

‎06-03-2022 10:56 AM

Ok... so I am not sure what my customer generated but Godaddy has told me that once I give the CSR to them they should then give me a single full chain PEM file back.

Once I receive that PEM should that be all I need or do I need something else?

0 Helpful

Go to solution
ammahend
VIP
VIP
In response to ehayric1320

‎06-03-2022 02:50 PM - edited ‎06-03-2022 02:52 PM

When you generate a CSR basically you are generating a public private key pair, the private key remain on the device where you generate CSR (your WLC), the public key with few additional information about your organization (which you are calling as CSR) is what you are sending to godadddy to sign. 
They will send you signed certifate and root certifate, before installing open the pem file in a notepad and make sure it has all certs. Each cert will start with “beginning of cert” and end with “end of cert”.

to see actual cert you can open the text in a separate notepad one at a time and rename it with .crt extension and open it like a normal cert and verify thing like CN,serial, expiration date etc if you like. 

 

-hope this helps-

Go to solution
ehayric1320
Level 1
Level 1

‎06-08-2022 05:32 AM

Got the full chain cert back from Godaddy after generating the CSR on the WLC itself. Went to install it and received an error about the private key. I shouldn't need to use OpenSSL to combine the chained cert with the private key should I? I would think the WLC already knows about the private key. The Cisco troubleshooting guide mentions this error but only says to be sure the WLC wasn't reloaded which it hasn't been so the key shouldn't be lost.

https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/215425-troubleshoot-certificate-installation-on.html

*TransferTask: Apr 21 05:02:34.768: Add Cert to ID Table: No Private Key



0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card