Re: Third-Party Certificates download to WLC error!

Rps-Cheers · ‎06-21-2018

HI everyone;

I have a problem,that is i have a CA cert,and i want to download to WLC for webauth cert.

My steps as below:
1\
I all three certificates, copy and paste the contents of each .pem file into another file in this order:

------BEGIN CERTIFICATE------
*Device cert*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA cert *
------END CERTIFICATE------

and

Save the file as All-certs.pem.

2\
openssl pkcs12 -export -in All-certs.pem -inkey gtja.net.key -out All-certs.p12 -clcerts -passout pass:check123
(i don't do "-passin pass:check123" due to the cert don't have password)

3\
openssl pkcs12 -in All-certs.p12 -out final.pem -passin pass:check123 -passout pass:check123

then,i got the final.pem.but,when i download it to WLC,the issue have occur.There are commands i used.
transfer download mode tftp
transfer download datatype webauthcert
transfer download serverip <TFTP server IP address>
transfer download path <absolute TFTP server path to the update file>
transfer download filename final.pem
transfer download certpassword check123
transfer download start

the log as Below:
【PA】Memory overcommit policy changed from 0 to 1
【PA】RESULT_STRING:TFTP webauth cert transfer starting.
TFTP webauth cert transfer starting.
【PA】RESULT_CODE:1
【PA】TFTP:Binding to remote=10.168.147.241
【PA】TFP End:5938 bytes transferred(0 retransmitted packets)
【PA】tftp rc=0,pHost=10.168.147.241 pFilename=/final.pem pLocalFilename=cert.p12
【PA】RESULT_STRING:TFTP receive complete...Installing Certificate
【PA】RESULT_CODE:13
TFTP receive complete...Installing Certificate
【PA】Adding cert(5890 bytes)with certificate key password
【PA】RESULT_STRING:Error installing certificate.
【PA】RESULT_CODE:12
【PA】Memory overcommit policy restored from 1 to 0
Error installing certificate.

I want to know where I am doing wrong.what should i do ?

what are meaning about RESULT_CODE:1,RESULT_CODE:13,RESULT_CODE:12 in the log?

Please help me to resovle the problem,thanks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Scott Fella · ‎06-21-2018

Don’t know what the codes means as that’s not published. Did you make sure of this:

Make sure that the certificate is Apache-compatible with Secure Hash Algorithm 1 (SHA1) encryption.

Also make sure there are no other intermediate certs or else you need to add them. Many use the WLC now to just generate their cert.

You did reference this correct.
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

-Scott
*** Please rate helpful posts ***

Rps-Cheers · ‎06-21-2018

Hi， Thanks for your response. How to make sure the certificate is Apache-compatible with Secure Hash Algorithm 1 (SHA1) encryption？ In fact，i dont know more about the third-party cert download.I have refer to that document，so i dont know why the error display. I see all kinds of files are .pem in document，whether that key at step3 also to be .pem file？ thanks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

Scott Fella · ‎06-21-2018

It is how you submitted the CSR to the portal. If you purchased a cert, you can always contact their support and verify you are submitting it properly. At times they can also provide you with a pem. Just depends on whom you get on the phone.

-Scott
*** Please rate helpful posts ***

ajc · ‎06-21-2018

I think you have a mistake in the procedure you followed. The passin/passout is the PASSPHRASE of the Encryption Key File not the cert signed by the Public CA Authority.

Please apply the attached procedure, more precise. You need the encryption key of your public signed cert including the passphrase. That is the one I applied 3 weeks ago in our 10+ WLC's webauth certificate renewal.

QUESTION: HOW did you create the CSR?.

You can check the hashing algorithm using Windows MMC once you import the wlc cert to the local computer -- certificate folder.

ajc · ‎06-21-2018

DEBUG required to verify Successful Certificate installation for WebAuth

-debug transfer all enable

-debug pm pki enable

(Cisco Controller) >

*TransferTask: Apr 12 17:44:19.903: Memory overcommit policy changed from 0 to 1

*TransferTask: Apr 12 17:44:19.903: RESULT_STRING: TFTP Webauth cert transfer starting.

*TransferTask: Apr 12 17:44:19.903: RESULT_CODE:1

*emWeb: Apr 12 17:44:19.905: sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<

*emWeb: Apr 12 17:44:19.905: sshpmGetIdCertIndex: found match in row 4

*emWeb: Apr 12 17:44:19.906: sshpmGetCID: Found matching ID cert bsnSslWebauthCert in row 4
*emWeb: Apr 12 17:44:19.906: Found CID 11f1523b for certname bsnSslWebauthCert
Apr 12 17:44:19.906: Retrieving x509 cert for CertName bsnSslWebauthCert
*emWeb: Apr 12 17:44:19.906: sshpmGetCID: called to evaluate <bsnSslWebauthCert>

*emWeb: Apr 12 17:44:19.906: sshpmGetCID: Found matching ID cert bsnSslWebauthCert in row 4
*emWeb: Apr 12 17:44:19.907: Found CID 11f1523b for certname bsnSslWebauthCert

*emWeb: Apr 12 17:44:19.907: IDCertTable: Found matching CID bsnSslWebauthCert in row 4 x509 0x2c0f1d5c
*emWeb: Apr 12 17:44:19.907: SHA1 = ***OMITTED****
*emWeb: Apr 12 17:44:23.038: sshpmGetCID: called to evaluate <bsnSslWebauthCert>

*emWeb: Apr 12 17:44:23.038: sshpmGetCID: Found matching ID cert bsnSslWebauthCert in row 4 *emWeb: Apr 12 17:44:23.038: Retrieving x509 cert for CertName bsnSslWebauthCert

*emWeb: Apr 12 17:44:23.038: sshpmGetCID: called to evaluate <bsnSslWebauthCert>

*emWeb: Apr 12 17:44:23.038: sshpmGetCID: Found matching ID cert bsnSslWebauthCert in row 4
*emWeb: Apr 12 17:44:23.038: Found CID 11f1523b for certname bsnSslWebauthCert

*emWeb: Apr 12 17:44:23.039: sshpmGetCID: Found matching ID cert bsnSslWebauthCert in row 4
*emWeb: Apr 12 17:44:23.039: Found CID 11f1523b for certname bsnSslWebauthCert

*emWeb: Apr 12 17:44:23.039: SHA1 = ***OMITTED****

*emWeb: Apr 12 17:44:23.039: Retrieving x509 cert for CertName bsnSslWebauthCert

*emWeb: Apr 12 17:44:23.039: MD5 = ****OMITTED***

*TransferTask: Apr 12 17:44:24.206: TFTP: Binding to remote=172.XX.YY.ZZ

*TransferTask: Apr 12 17:44:24.222: TFP End: 8201 bytes transferred (0 retransmitted packets)

*TransferTask: Apr 12 17:44:24.223: tftp rc=0, pHost=172.XX.YY.ZZ pFilename=/final2.pem

pLocalFilename=cert.p12

*TransferTask: Apr 12 17:44:24.816: RESULT_STRING: TFTP receive complete... Installing Certificate.

*TransferTask: Apr 12 17:44:24.816: RESULT_CODE:13

*emWeb: Apr 12 17:44:26.143: Found CID 11f1523b for certname bsnSslWebauthCert

*emWeb: Apr 12 17:44:26.143: sshpmGetCID: called to evaluate <bsnSslWebauthCert>

*emWeb: Apr 12 17:44:26.143: sshpmGetCID: Found matching ID cert bsnSslWebauthCert in row 4

*emWeb: Apr 12 17:44:26.145: Retrieving x509 cert for CertName bsnSslWebauthCert

*emWeb: Apr 12 17:44:26.145: MD5 = ****OMITTED****

*TransferTask: Apr 12 17:44:28.819: Adding cert (8137 bytes) with certificate key password.

*TransferTask: Apr 12 17:44:28.819: Add WebAuth Cert: Adding certificate & private key using password ****OMITTED****
*TransferTask: Apr 12 17:44:28.819: Add ID Cert: Adding certificate & private key using password
*TransferTask: Apr 12 17:44:28.819: Add Cert to ID Table: Adding certificate (name: bsnSslWebauthCert) to ID table using password ***OMITTED***
*TransferTask: Apr 12 17:44:28.819: Add Cert to ID Table: Decoding PEM-encoded Certificate (verify: YES)
*TransferTask: Apr 12 17:44:28.819: Decode & Verify PEM Cert: Cert/Key Length was 0, so taking string length instead
*TransferTask: Apr 12 17:44:28.819: Decode & Verify PEM Cert: Cert/Key Length 8137 & VERIFY
*TransferTask: Apr 12 17:44:28.832: Decode & Verify PEM Cert: X509 Cert Verification return code: 1
*TransferTask: Apr 12 17:44:28.832: Decode & Verify PEM Cert: X509 Cert Verification result text: ok
*TransferTask: Apr 12 17:44:28.833: Add Cert to ID Table: Decoding PEM-encoded Private Key using password ****OMITTED***
*TransferTask: Apr 12 17:44:28.835: sshpmGetIdCertIndex: found match in row 4
*TransferTask: Apr 12 17:44:28.835: Add Cert to ID Table: Deleting bsnSslWebauthCert (row 4) from ID cert table
*TransferTask: Apr 12 17:44:28.835: Add Cert to ID Table: Adding new bsnSslWebauthCert cert & key to row 4 of ID cert table
*TransferTask: Apr 12 17:44:28.835: Add ID Cert: Writing DER-encoded ID cert to file /mnt/application/bsnSslWebauthCert.crt
*TransferTask: Apr 12 17:44:28.836: sshpmWriteCredentialFile: called to write </mnt/application/bsnSslWebauthCert.crt>; certptr 0x2cd5f210, length 1341

*TransferTask: Apr 12 17:44:28.836: Add ID Cert: Writing DER-encoded ID private key to file /mnt/application/bsnSslWebauthCert.prv
*TransferTask: Apr 12 17:44:28.836: sshpmWriteCredentialFile: called to write </mnt/application/bsnSslWebauthCert.prv>; certptr 0x2cd5c0d8, length 1192

*TransferTask: Apr 12 17:44:28.836: Add ID Cert: Unlinking previously created ID PEM-encoded PKCS12 file webauth_p12.pem
*TransferTask: Apr 12 17:44:28.836: Add ID Cert: Created PEM-encoded ID PKCS12 file webauth_p12.pem
*TransferTask: Apr 12 17:44:28.836: RESULT_STRING: Certificate installed.
Reboot the switch to use new certificate.

*TransferTask: Apr 12 17:44:28.837: RESULT_CODE:11

*TransferTask: Apr 12 17:44:28.837: Memory overcommit policy restored from 1 to 0

ajc · ‎06-21-2018

Not sure what happened with the previous post. In any case, follow the attached procedure. the PASSIN = Passphrase of the Encryption Key File .PEM so you cannot omit it.

Use Win 7 MMC and import the wlc certificate to the Local Computer --- Trusted Certificates so you can verify the hashing algorithm.

Rps-Cheers · ‎06-21-2018

Hi Abraham. Thank you very much for your reply. The situation is this, we have a certificate for use in the network, so I want to install this certificate to the WLC and do the web certification. The engineer told me that I already have the certificate, so I don't need the first step And the second step. Then let me directly merge the three certificate files into one all-certs.pem. He told me that the certificate does not have a password, so no -passin pass check123. So, is this step necessary? Can you give me a detailed step, and I think the engineers who assisted me were terrible. In addition, is the gtja.net.key also a .pem file? Thank you

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

ajc · ‎06-22-2018

Let's clarify something first. You need to merge all the files into a .PEM one NOT .cer. I mean, you must verify that the Root CA, Intermediate CA and WLC files are .PEM extension not .CER, otherwise you must convert them using step 6 of the procedure. After that, you can merge the files as shown in step 7. On my case, the guy responsible of the certificate part always gives me the files as .CER so I need to convert them.

Once the previous is completed and you have the ALL-CERTS.pem file, then you go to STEP 8. On that step you need the Encryption Key File and the Passphrase of the Key in order to combine the ALL-CERTS with the KEY. The Encryption Key File must be a .PEM file as well.

The passphrase decrypts the key during the merging process of ALL-CERTS file with the KEY file. That's why the PASSIN PASS:passphrase command is required (STEP 8).

On my case, using WLC GUI to upload the final WebAuth Cert requires the passphrase entered with the PASSOUT PASS:passphrase command (STEP 9). I have not checked if the same applies to CLI. THIS PASSOUT PASS:passphrase is created by YOU. I used the same passphrase for PASSIN/PASSOUT to simplify the process.

Summarizing the process (STEP 8 procedure), we have:

C:\openssl\bin>openssl pkcs12 -export -in ALL-certs.pem -inkey wlcprivkey.pem -out ALLcerts.p12 -clcerts -passin pass:PASSPHRASE -passout pass:PASSPHRASE

wlcprivkey.pem = Private Key FILE .pem extension

ALL-CERTS.pem = Root CA, Intermediate CA and WLC Cert

ALLcerts.P12 file = ALL-Certs.pem + Private Key File. This file is created using the PASSPHRASE which is provided by the person who created the WLC Cert. As I mentioned before, the PASSOUT is required by the WLC GUI Upload Webauth Cert Option.

The WLC does NOT accept a .P12 extension file so the final step is convert that file into .PEM as indicated next, using the PASSIN/PASSOUT password (which I use the same to avoid problems as I mentioned above)

C:\openssl\bin>openssl pkcs12 -in Allcerts.p12 -out wlcfinalcert.pem -passin pass:PASSPHRASE -passout pass:PASSPHRASE

Once the .PEM file is created you can proceed to upload it to the WLC using GUI with the PASSPHRASE entered/used in the PASSOUT PASS command. Use the debugs to verify the process is completed satisfactorily.

ajc · ‎06-22-2018

IF you check the DEBUGS, you can see the following.

*TransferTask: Apr 12 17:44:28.833: Add Cert to ID Table: Decoding PEM-encoded Private Key using password ****OMITTED***

This line above shows you the Private Key File .PEM IS DECODED (decrypted) BEFORE merging that file to the ALL-CERTS.pem one, using the PASSPHRASE of the passin pass: command.

Again, you NEED the passphrase of the Private Key File (STEP 8) to be used in the MANDATORY COMMAND passin pass:passphrase.

Rps-Cheers · ‎06-22-2018

HI Abraham; Thank you very much for your patience. According to what you mean, all files should be in .pem format, right? In addition, I would like to know what documentation you said about Step6 and Step8. I don't have specific documentation. Can you give me one? I let the customer test again today, but I only let him modify the file containing all the certificates into a pem format file. The private key has not been modified to be a pem file. It is still a "gtja.net.key" file. So, it failed again. Unfortunately, the customer did not turn on debugging as I requested. I only have to try it again next time. In addition, which private key is a password that the client fills in when applying for a certificate? Instead of what we call check123 or PASSPHASE you mentioned. Thank you again for your help.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !

ajc · ‎06-22-2018

The procedure was attached above to one of my replies. It is a procedure I created/tested on 8500/5500/2500 WLC's running 7.x and 8.0 version and I have been using for more than 2 years.

ajc · ‎06-22-2018

Let me clarify something else, when the WLC Certificate is signed by the Public CA Authority (in my example, my WLC cert was signed by Entrust , I do not know your case), a Private Key File is ALSO created and that file has a passphrase attached (also called private key password - sometimes this causes confusion with the private key FILE name)

That passphrase is MANDATORY when you create the .P12 file (all-certs. pem file merged with private key file) and IT IS entered with the command PASSIN PASS:xxxxxx. the PASSOUT PASS:yyyy part of the entire command is the passphrase to be used in the uploading wlc cert process. Usually we enter the same value in BOTH parts PASSIN pass / PASSOUT pass to avoid mistakes and keep consistency.

On the other hand, .KEY is NOT an extension for the Private key file. Usually it is a .CER file. You need to verify that with the person who provided you that file. Not sure if replacing the .KEY by .CER is enough (renaming) - talk to the person who created as I said. If they told you that the Private Key file extension is .CER then you need to convert the file as indicated in the attached procedure.

The PASSPHRASE in the procedure for the PASSIN PASS:PASSPHRASE part of the command below (Step 8) is only a reference to the actual password assigned to the Private Key File created. That password of the Private Key should have been provided to you. Again, to keep consistency, the value of the PASSIN PASS:xxxxxxx (private key password) is assigned as well in the PASSOUT PASS:yyyyyy part of the command: openssl pkcs12 -export -in ALL-certs.pem -inkey wlcprivkey.pem -out ALLcerts.p12 -clcerts -passin pass:PASSPHRASE -passout pass:PASSPHRASE