03-10-2011 11:10 AM - edited 07-03-2021 07:56 PM
Our Security Policy requires all web admin pages to be signed by our corporate Certificate Authority. I have successfully implemented a 3rd party SSL certificate for the Web Auth of our Guest WLAN but I need to install a signed certificate for the Management of the WLC itself. I have followed the instrctions here:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
but this was more useful for Web Auth. I cant find a specific document explaining how it should be done for the Management interface.
Any help greatly appreciated.
Solved! Go to Solution.
03-11-2011 04:08 AM
1) Please use a password. Blank passwords regularly give problems.
2) You didn't recombine the key with certificate before uploading to the WLC :
Combine the CA.pem certificate with the private key, and then convert the file to a .pem file.
Issue this command in the OpenSSL application:
openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts
-passin pass:check123 -passout pass:check123
!--- This command should be on one line.
openssl>pkcs12 -in CA.p12 -out final.pem -passin pass:check123 -passout pass:check123
Note: In this command, you must enter a password for the parameters -passin and -passout . The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the WLC. In this example, the password that is configured for both the -passin and -passout parameters is check123. Step 4 of the procedure in the Download the Third-Party Certificate to the WLC section of this document discusses the configuration of the certpassword parameter.
The final.pem is the file that is transferred via TFTP to the Cisco WLC.
Now that you have the certificate from the third-party CA, you need to download the certificate to the WLC.
03-10-2011 10:35 PM
"management" menu on the WLC GUI.
=> HTTP
at the bottom of the page you have "download SSL certificate". That's how you download it.
Note that unfortunately, chained certificates are still not supported for the management interface. so your clients will have to trust the issuer of the wlc management cert directly, no intermediates allowed.
From there, it should be a simple creation of a certificate for role "web server".
Nicolas
03-11-2011 03:57 AM
Thanks Nicolas,
Here are the exact steps I took to complete this process. I dont have step-bystep instructions for the actual certificate signing part using Microsoft Certificare Services but I can supply those if needed. As you can say, once the certificate is generated, signed and then TFTP'd onto the box, it says File Transfer Failed. I know the file physically transferred successfully as the logs on my TFTP server hosting the signed cert show the file transfer was successful. Can you see what might be going wrong?
===Generate a CSR using OpenSSL===
1. Install OpenSSL from here:
2. Open a command prompt and go to C:\openssl\bin and execute openssl.exe
C:\>cd openssl
C:\OpenSSL>cd bin
C:\OpenSSL\bin>openssl
3. Generate a 1024 bit CSR (For Web Auth, it must be 2048 if requiring an Extended Validation certificate)
OpenSSL> req -new -newkey rsa:1024 -nodes -keyout wlc-key.pem -out wlc-csr.pem
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
..................+++
................................................................+++
writing new private key to 'wlc-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company
Organizational Unit Name (eg, section) []:Department
Common Name (eg, YOUR name) []:wlc
Email Address []:email@address.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
OpenSSL>
You will now have one csr file and one key file generated in the C:\openssl\bin directory:
wlc-csr.pem
wlc-key.pem
===Sign the CSR file using your Corporate CA===
At this point, we sent it to our Microsoft Certificate Services administrator who signed the certificate using the standard Web Server certificate template and reterned a wlc-signed.cer certificate file.
===Upload Signed Certificate to WLC===
Place certificate in a TFTP accessible location
Go to WLC > Management > HTTP
On the HTTP Configuration page, check the Download SSL Certificate check box
In the Server IP Address field, enter the IP address of the TFTP server.
In the Maximum Retries field, enter the maximum number of times that the TFTP server attempts to download the certificate e.g. 10
In the Timeout field, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate e.g. 6
In the Certificate File Path field, enter the directory path of the certificate. If the path is in the root of the TFTP server folder then enter /
In the Certificate File Name field, enter the name of the certificate (wlc-signed.cer).
(Optional) In the Certificate Password field, enter a password to encrypt the certificate. - I left this blank
Click Apply to commit your changes.
A pop up will appear saying "Are you sure you want to download Certificates from the specified Server?". Click OK
At the bottom of the screen it says "File transfer operation started"
After a few seconds, it then says "File transfer failed!"
--- I did not get to complete the remaining instructions due to transfer failure ----
Click Save Configuration to save your changes.
To reboot the controller for your changes to take effect, choose Commands > Reboot > Reboot > Save and Reboot.
03-11-2011 04:08 AM
1) Please use a password. Blank passwords regularly give problems.
2) You didn't recombine the key with certificate before uploading to the WLC :
Combine the CA.pem certificate with the private key, and then convert the file to a .pem file.
Issue this command in the OpenSSL application:
openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts
-passin pass:check123 -passout pass:check123
!--- This command should be on one line.
openssl>pkcs12 -in CA.p12 -out final.pem -passin pass:check123 -passout pass:check123
Note: In this command, you must enter a password for the parameters -passin and -passout . The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the WLC. In this example, the password that is configured for both the -passin and -passout parameters is check123. Step 4 of the procedure in the Download the Third-Party Certificate to the WLC section of this document discusses the configuration of the certpassword parameter.
The final.pem is the file that is transferred via TFTP to the Cisco WLC.
Now that you have the certificate from the third-party CA, you need to download the certificate to the WLC.
03-11-2011 05:58 AM
Thanks Nicolas, that worked. I cant believe I forgot the steps to combine the private key with the signed certificate! I did do all this previously for the Web Auth certificate without problem, just forgot about this part on this occasion.
For info, I did not enter a challenge password so it is ok to leave that blank but when converting to a PEM file, the -passout parameter must be filled in and specified as the Certificate Password on the Management > HTTP Configuration page.
Thanks again.
03-12-2011 07:43 AM
Seems like you got it ... But if you forget in the furture I posted a step by step here ...
01-23-2018 04:21 PM
Can it be done without TFTP ..e.g. FTP or SFTP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide