Solved: VeriSign SSL certificates - WLC

Charles Dahlgren · ‎04-03-2012

Hi,

One of our customers have bought an SSL certificate from VeriSign to use with the web authentication portal. I had previously provided him with the information on how to create and upload a chained certificate. However he got two intermediate certificates from VS and couldn't get it to work.

So I looked into it and it seems that the WLC don't support Level 3 chained certificates (2 intermediate + 1 root cert) and that these are the only certificates VS provides since October 2010?

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg74127

So if that's the case, how do I procede? Is there some sort of workaround or can possibly VeriSign do something? I guess this isn't the first time since 2010 someone bought an SSL certificate from VeriSign to use with the WLC..

Thanks in advance!

Charlie

Scott Fella · ‎04-03-2012

It is supported... I have used a Level 3 certificate for WebAuth and it will work.

Chained Certificates

A certificate chain is a sequence of certificates, where each certificate in the chain is signed by the subsequent certificate. The purpose of certificate chain is to establish a chain of trust from a peer certificate to a trusted Certification Authority (CA) certificate. The CA vouches for the identity in the peer certificate by signing it. If the CA is one that you trust, which is indicated by the presence of a copy of the CA certificate in your root certificate directory, this implies you can trust the signed peer certificate as well.

Often, the clients do not accept the certificates because they were not created by a known CA. The client typically states that the validity of the certificate cannot be verified. This is the case when the certificate is signed by an intermediate CA, which is not known to the client browser. In such cases, it is necessary to use a chained SSL certificate or certificate group.

Support for Chained Certificate

In controller versions earlier than 5.1.151.0, web authentication certificates can be only device certificates and should not contain the CA roots chained to the device certificate (no chained certificates).

With controller version 5.1.151.0 and later, the controller allows for the device certificate to be downloaded as a chained certificate for web authentication.

Certificate Levels

Level 0—Use of only a server certificate on WLC.

Level 1—Use of server certificate on WLC and a CA root certificate.

Level 2—Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.

Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.

WLC does not support chained certificates more than 10KB size on the WLC. However, this restriction has been removed in WLC 7.0.230.0 and later releases.

Note: Chained certificates are supported for web authentication only; they are not supported for the management certificate.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎04-03-2012

It is supported... I have used a Level 3 certificate for WebAuth and it will work.

Chained Certificates

A certificate chain is a sequence of certificates, where each certificate in the chain is signed by the subsequent certificate. The purpose of certificate chain is to establish a chain of trust from a peer certificate to a trusted Certification Authority (CA) certificate. The CA vouches for the identity in the peer certificate by signing it. If the CA is one that you trust, which is indicated by the presence of a copy of the CA certificate in your root certificate directory, this implies you can trust the signed peer certificate as well.

Often, the clients do not accept the certificates because they were not created by a known CA. The client typically states that the validity of the certificate cannot be verified. This is the case when the certificate is signed by an intermediate CA, which is not known to the client browser. In such cases, it is necessary to use a chained SSL certificate or certificate group.

Support for Chained Certificate

In controller versions earlier than 5.1.151.0, web authentication certificates can be only device certificates and should not contain the CA roots chained to the device certificate (no chained certificates).

With controller version 5.1.151.0 and later, the controller allows for the device certificate to be downloaded as a chained certificate for web authentication.

Certificate Levels

Level 0—Use of only a server certificate on WLC.

Level 1—Use of server certificate on WLC and a CA root certificate.

Level 2—Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.

Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.

WLC does not support chained certificates more than 10KB size on the WLC. However, this restriction has been removed in WLC 7.0.230.0 and later releases.

Note: Chained certificates are supported for web authentication only; they are not supported for the management certificate.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎04-03-2012

Give a peek at this link. This may help a little

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

Scott great comment about:

WLC does not support chained certificates more than 10KB size on the  WLC. However, this restriction has been removed in WLC 7.0.230.0 and  later releases.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Charles Dahlgren · ‎04-04-2012

Thanks for the response guys!

OK, so to refer to the guide George sent me, in step 5) I just insert the other intermediate certificate as so:

−−−−−−BEGIN CERTIFICATE−−−−−−

*Device cert*

−−−−−−END CERTIFICATE−−−−−−

−−−−−−BEGIN CERTIFICATE−−−−−−

*Intermediate CA cert *

−−−−−−END CERTIFICATE−−−−−−−−

−−−−−−BEGIN CERTIFICATE−−−−−−

*Intermediate CA cert *

−−−−−−END CERTIFICATE−−−−−−−−

−−−−−−BEGIN CERTIFICATE−−−−−−

*Intermediate CA cert *

−−−−−−END CERTIFICATE−−−−−−−−

−−−−−−BEGIN CERTIFICATE−−−−−−

*Root CA cert *

−−−−−−END CERTIFICATE−−−−−−

Scott Fella · ‎04-05-2012

Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.

You only can have up to two intermediate certs not three.

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎04-04-2012

Correct .. Also make sure you get the order correct ..

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎04-06-2012

Good catch Scott

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Charles Dahlgren · ‎04-20-2012

Haven't been able to get out there until today, anyway it worked great once I found the correct root certificate.

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR1553

Many thanks!!

Scott Fella · ‎04-20-2012

What I do is always extract the intermediate and root from the initial device cert. I have ran IMO the same issue before with them providing the wrong intermediate or root.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

VeriSign SSL certificates - WLC

SEG: Validation Error : Certificates signature verification failed

9800-L-F WLC SSL Certificate Signed Using Weak Hashing Algorithm

Cisco WLC 2500 Certificate Expiration Workaround

Cisco Umbrella transitioning from DigiCert to Identrust certificates

Certificate Signing Requests for WLC via Open SSL