Thanks Nicolas,
Here are the exact steps I took to complete this process. I dont have step-bystep instructions for the actual certificate signing part using Microsoft Certificare Services but I can supply those if needed. As you can say, once the certificate is generated, signed and then TFTP'd onto the box, it says File Transfer Failed. I know the file physically transferred successfully as the logs on my TFTP server hosting the signed cert show the file transfer was successful. Can you see what might be going wrong?
===Generate a CSR using OpenSSL===
1. Install OpenSSL from here:
http://downloads.sourceforge.net/project/gnuwin32/openssl/0.9.8h-1/openssl-0.9.8h-1-setup.exe?use_mirror=voxel
2. Open a command prompt and go to C:\openssl\bin and execute openssl.exe
C:\>cd openssl
C:\OpenSSL>cd bin
C:\OpenSSL\bin>openssl
3. Generate a 1024 bit CSR (For Web Auth, it must be 2048 if requiring an Extended Validation certificate)
OpenSSL> req -new -newkey rsa:1024 -nodes -keyout wlc-key.pem -out wlc-csr.pem
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
..................+++
................................................................+++
writing new private key to 'wlc-key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company
Organizational Unit Name (eg, section) []:Department
Common Name (eg, YOUR name) []:wlc
Email Address []:email@address.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
OpenSSL>
You will now have one csr file and one key file generated in the C:\openssl\bin directory:
wlc-csr.pem
wlc-key.pem
===Sign the CSR file using your Corporate CA===
At this point, we sent it to our Microsoft Certificate Services administrator who signed the certificate using the standard Web Server certificate template and reterned a wlc-signed.cer certificate file.
===Upload Signed Certificate to WLC===
Place certificate in a TFTP accessible location
Go to WLC > Management > HTTP
On the HTTP Configuration page, check the Download SSL Certificate check box
In the Server IP Address field, enter the IP address of the TFTP server.
In the Maximum Retries field, enter the maximum number of times that the TFTP server attempts to download the certificate e.g. 10
In the Timeout field, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate e.g. 6
In the Certificate File Path field, enter the directory path of the certificate. If the path is in the root of the TFTP server folder then enter /
In the Certificate File Name field, enter the name of the certificate (wlc-signed.cer).
(Optional) In the Certificate Password field, enter a password to encrypt the certificate. - I left this blank
Click Apply to commit your changes.
A pop up will appear saying "Are you sure you want to download Certificates from the specified Server?". Click OK
At the bottom of the screen it says "File transfer operation started"
After a few seconds, it then says "File transfer failed!"
--- I did not get to complete the remaining instructions due to transfer failure ----
Click Save Configuration to save your changes.
To reboot the controller for your changes to take effect, choose Commands > Reboot > Reboot > Save and Reboot.
