Solved: Renew Self-Signed Certificate on Cisco 9800

mumbles202 · ‎09-15-2025

Currently have a 9800-40 w/ 100 APs associated and working as expected. The self-signed certificate used for AP Join is expiring next month and wanted to work on getting it renewed and replaced prior so as to not have any issues. I was reading this document:

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE 17.16.x - Controller Self-Signed Certificate for Wireless AP Join [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

and trying to get the required steps but a little unclear. Would I just need to issue the following:

conf t
crypto key generate rsa exportable general-keys modulus 2048 label ewlc-tp1
crypto pki trustpoint ewlc-tp1
rsakeypair ewlc-tp1
subject-name O=Cisco Wireless LAN Controller, CN=DEVICE-9800-WLC
revocation-check none
hash sha1
serial-number
eku request server-auth client-auth
password 0 cisco123
enrollment url http://172.25.80.10:80
end

crypto pki authenticate ewlc-tp1
crypto pki enroll ewlc-tp1
end

wireless management trustpoint ewlc-tp1

Is this correct? With respect to the currently connected APs, will anything need to be done w/ them other than a reboot of the AP at a later time to have them get the new certificate?

MHM Cisco World · ‎09-15-2025

Why you not only bypass cert check ?

MHM

View solution in original post

Mark Elsen · ‎09-15-2025

- @mumbles202 Are you sure that needs to be done ?
Ref : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/221047-understand-certificate-and-trustpoint-ty.html
>...
>

Manufacturer Installed Certificate (MIC)
This certificate is by default installed on the physical appliances—such as the 9800-80, 9800-40, and the 9800-L. As it names implies, it is factory installed and cannot be modified. This certificate is used for when the AP joins for the first time to the WLC.
To check if a MIC certificate is indeed installed on the 9800, you can enter the command
show wireless management trustpoint.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

View solution in original post

Mark Elsen · ‎09-16-2025

- @MHM Cisco World That information is not correct.
@mumbles202 To allow access points with expired certificates on the 9800 platform
checkout : https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
Start reading from : 1. Use the Cisco C9800 command to accept expired certificates
complete steps 2. and 3. too !

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

View solution in original post

MHM Cisco World · ‎09-15-2025

Why you not only bypass cert check ?

MHM

Mark Elsen · ‎09-15-2025

- @mumbles202 Are you sure that needs to be done ?
Ref : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/221047-understand-certificate-and-trustpoint-ty.html
>...
>

Manufacturer Installed Certificate (MIC)
This certificate is by default installed on the physical appliances—such as the 9800-80, 9800-40, and the 9800-L. As it names implies, it is factory installed and cannot be modified. This certificate is used for when the AP joins for the first time to the WLC.
To check if a MIC certificate is indeed installed on the 9800, you can enter the command
show wireless management trustpoint.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Stefan Mihajlov · ‎09-15-2025

@mumbles202

On the 9800 you don’t need to spin up a new external PKI trustpoint just to keep APs online — the AP join process relies on the controller’s SSC (self-signed certificate), which you can regenerate natively. The right flow is:

Generate a new self-signed certificate on the WLC (either via GUI → Configuration > Security > PKI Management > SSC or in CLI with wireless config vwlc-ssc generate).
The controller will automatically update its SSC and push it during the AP join handshake.

Your APs don’t need to be re-provisioned; they’ll simply re-establish CAPWAP with the new cert. In most cases they won’t even drop until they next rejoin (reboot or session reset).

The PKI trustpoint config you pasted is the method if you want to use a CA-signed cert for management HTTPS or EAP-TLS. For AP join, the simpler and recommended path is to regenerate the built-in SSC.

So: just regenerate the SSC on the controller, reload if prompted, and your 100 APs will rejoin automatically. No per-AP manual action is required.

–––
Best regards,
Stefan Mihajlov

Mark this post as Helpful if it helped you, and Accept as Solution if it resolved your question.

mumbles202 · ‎09-16-2025

I checked last night and confirmed that the controller is showing a MIC installed:

#show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_SUDI
Certificate Info : Available
Certificate Type : MIC

I think last time there was a reboot there were issues with some of the APs rejoining the controller and it might have actually been an issue w/ the expired certs on the APs since rolling back the time on the WLC corrected that temporarily. Would issuing this:

config ap cert-expiry-ignore mic enable

on the controller be the fist for that until those older APs can be replaced? Would anything need to be done w/ the SSC?

MHM Cisco World · ‎09-16-2025

config ap cert-expiry-ignore mic enable <<- that what you need

Show trust points give you info about wlc not about AP cert

Here we need wlc bypass AP cert expired

MHM

Rich R · ‎09-16-2025

@MHM Cisco World "config ap cert-expiry-ignore mic enable" is for AireOS not IOS-XE (9800).

Refer to field notice 63942 (link below) for equivalent config for 9800 WLC.

Also @mumbles202 what version of software are you using? (refer to TAC recommended link below)
CISCO_IDEVID_SUDI has been deprecated and replaced by CISCO_IDEVID_CMCA3_SUDI
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/release-notes/rn-17-9-9800.html#whatsnew1795
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-14/release-notes/rn-17-14-9800.html#behavior-change

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

MHM Cisco World · ‎09-16-2025

Please check Mark link

The command list as workaround for wlc 9800, AND YOU select it as solution.

""

Solutions for Expired WLC Certificates

Situation: The Cisco WLC does not run a fixed software release and some Cisco APs cannot join. Complete the following steps:

Upgrade to a fixed software release.
Enter the config ap cert-expiry-ignore {mic|ssc} enable command.""

MHM

Rich R · ‎09-16-2025

Why are you continuing to advise AireOS commands @MHM Cisco World ?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

MHM Cisco World · ‎09-16-2025

This list in link you mark as solution?

And friend please don't mention me or send to me anything.

Let me reply other as you do.

MHM

MHM Cisco World · ‎09-16-2025

9800WLC(config)# wireless management trustpoint <trustpoint-name>
9800WLC(config-trustpoint)# no revocation-check
9800WLC(config)# ap cert-expiry-ignore {mic | ssc | all}

MHM

Mark Elsen · ‎09-16-2025

- @MHM Cisco World That information is not correct.
@mumbles202 To allow access points with expired certificates on the 9800 platform
checkout : https://www.cisco.com/c/en/us/support/docs/field-notices/639/fn63942.html
Start reading from : 1. Use the Cisco C9800 command to accept expired certificates
complete steps 2. and 3. too !

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Rich R · ‎09-16-2025

If you are using a self signed certificate then that is a mistake! That is only needed on the 9800-CL (virtual WLC).

The hardware appliances use the embedded Cisco Manufacturing Installed Certificate (MIC) for AP join.

This is how it should look:
9800#show wireless management trustpoint
Trustpoint Name : CISCO_IDEVID_CMCA3_SUDI
Certificate Info : Available
Certificate Type : MIC
Certificate Hash : 202958d68b57977e8df7d54b60c772ab13f84de5
Private key Info : Available
FIPS suitability : Not Applicable

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

MHM Cisco World · ‎09-16-2025

Why misleading him

He ask about AP cert expired not wlc??

Please double check his request

MHM

Rich R · ‎09-16-2025

That's a very bold accusation! Everything I have stated is fact backed up by links to the relevant Cisco documentation.
I'm not the person who provided an AireOS command for an IOS-XE WLC.
And the post is clearly and unambiguously about the WLC certificate.
The AP join issues are secondary to the primary issue.
I provided answers to both issues - for 9800 WLC - which @Mark Elsen has reiterated and @mumbles202 has confirmed (as expected) that AireOS commands do not work on IOS-XE!

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390