cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5376
Views
35
Helpful
7
Replies
wesdouglas
Beginner

Updating webauth certificate within 5508 WLC HA pair

I am looking for some clarification before I go ahead and install/reboot my 5508 WLC pair.

The webauth certificate is about to expire so I have chained a new cert together. I have dual 5508s in HA mode and have uploaded the cert. I am now faced with a reboot.

However, I can't find any information online about updating certs within an HA pair, all I can find mentioning certs is in the "Configuring High Availability" section of the "Cisco Wireless LAN Controller Configuration Guide" which states "Certificates should be downloaded separately on each controller before they are paired." Does this still apply when WLCs are already in HA mode?

Has anyone here updated a cert within an HA pair and if so have you simply issued a reboot command when the cert is downloaded to the controller? Surely I don't have to break the pair apart to install the new cert on both then join together again?

Thanks in advance.

Wes

7 REPLIES 7
Divya
Beginner

Hi Wes,

This is a limitation in WLC HA. you have to install the certificates on both of  the Controllers.

When you do the web auth certificate installation on WLC which is in HA pair, the cert will be pushed only on Primary Controller. After the fail over to secondary, the guest clients will receive the "certificate warning" until the primary takes over.

 

Regards,

Divya

 

 

saror0001
Beginner

Hi Wes ...

Did you get the solution of this situation ? Now i m on the same situation .. can u please guide ,me on the same please ??

The upload of the webauth certificate only happens on the active unit. Once the certificate has been uploaded for the first (primary) controller you need to reload only that unit so the secondary controller is going to be the active one. Wait for the HA set to be active again, upload the certificate again and reboot that unit as well. Once that reboot has been done HA is active again and you are done.

If you do it this way there should be no impact, but personally I would still arrange a service-window just to make sure.

Please rate useful posts... :-)

Device and root certificates are not automatically synced to the Standby controller. you have to manually break HA or make failover to apply on secondary.

Beacon Bits
Beginner

Hi all,

 

Just to update on this one, though this post is very old.

 

Scenario:

=======

Uploading new WebAuth cert for Cisco WLC 5520 HA pair and 5508 two standalone.

 

Solution

=======

1) Standalone two 5508s were straightforward

       a) upload the cert and

       b) reboot

2) HA pair 5580

      a) upload cert on ACTIVE one first. This WLC would be one which is being accessed by default on the management interface. Cert will be pushed to the ACTIVE WLC first and ask for the reboot.

      b) reboot the WLC. In doing so, HOT STANDBY will become ACTIVE. ( monitor the management interface via ping and you'll notice no ping lose)

      c) Monitor two WLCs via three Pings to see what is happening

              i) continuous ping to the Management interface

              ii) continuous ping to the Redundancy Mgmt Interface

              iii) continuous ping to the Peer Redundancy Mgmt Interface

      d) When ACTIVE WLC is back through the ping let it settle down, then check the webAuth cert via CLI command 'Show certificate webauth' on both WLCs

      e) now ACTIVE would be the one that was HOT STANDBY, this would still have the old cert. Upload the cert on to this one and reboot. While doing this you'll see no ping drop on 'Management Interface'

      f) After this WLC comes back it becomes HOT STANDBY, exactly the role it had before starting this exercise. Smooth isn't it :)

      g) Check cert has been upload on both by above CLI command. Happy days!

 

Kind regards,

B

 

 

 

 

Hi Beacon,

This information is very helpful,

Many thanks,

 

 

With the HA pair running code level 8.3 (or higher) and self-generating the CSR file, can I load the same .pem file on both contollers in the pair?

Create
Recognize Your Peers
Content for Community-Ad