Solved: Virtual WLC certificate problem

Ivans.Pavlucenko · ‎09-19-2018

A problem occurs when trying to install a WebAuth certificate:

TransferTask: Sep 19 10:04:47.389: Adding cert (7998 bytes) with certificate key password.

*TransferTask: Sep 19 10:04:47.389: Add WebAuth Cert: Adding certificate & private key using password

*TransferTask: Sep 19 10:04:47.389: Add ID Cert: Adding certificate & private key using password

*TransferTask: Sep 19 10:04:47.389: Add Cert to ID Table: Adding certificate (name: bsnSslWebauthCert) to ID table using password

*TransferTask: Sep 19 10:04:47.389: Add Cert to ID Table: Decoding PEM-encoded Certificate (verify: YES)

*TransferTask: Sep 19 10:04:47.389: Decode & Verify PEM Cert: Cert/Key Length was 0, so taking string length instead

*TransferTask: Sep 19 10:04:47.389: Decode & Verify PEM Cert: Cert/Key Length 7998 & VERIFY

*TransferTask: Sep 19 10:04:47.391: Decode & Verify PEM Cert: X509 Cert Verification return code: 1

*TransferTask: Sep 19 10:04:47.391: Decode & Verify PEM Cert: X509 Cert Verification result text: ok

*TransferTask: Sep 19 10:04:47.391: Add Cert to ID Table: Decoding PEM-encoded Private Key using password

*TransferTask: Sep 19 10:04:47.391: Retrieve CSR Key: can't open private key file for ssl cert.

*TransferTask: Sep 19 10:04:47.391: Add Cert to ID Table: No Private Key

*TransferTask: Sep 19 10:04:47.391: Add ID Cert: Error decoding / adding cert to ID cert table (verifyChain: TRUE)

*TransferTask: Sep 19 10:04:47.391: Add WebAuth Cert: Error adding ID cert

*TransferTask: Sep 19 10:04:47.391: RESULT_STRING: Error installing certificate.

Can someone help ?

patoberli · ‎10-07-2018

The certification path is missing. Make sure to correctly format the certificate before uploading it.

Pay special attention to this part in the manual: Option B: Obtain the Final.pem File from a Third-Party CA

View solution in original post

patoberli · ‎09-19-2018

Is your certificate correctly formatted, or do you have correctly created the CSR on the WLC?

See those error messages:
*TransferTask: Sep 19 10:04:47.391: Add Cert to ID Table: Decoding PEM-encoded Private Key using password
*TransferTask: Sep 19 10:04:47.391: Retrieve CSR Key: can't open private key file for ssl cert.
*TransferTask: Sep 19 10:04:47.391: Add Cert to ID Table: No Private Key

See here for the manual:
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
Also I think there recently was a similar post with the vWLC, where it looked like there was a bug.

Ivans.Pavlucenko · ‎09-19-2018

I did everything through this guide:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

After first attempt to download the certificate, install was successful but it still show as untrusted in browser.

So i issued regenerate certificate on WLC under Web Authentication. But i didn't generate new CSR!!!

CSR is the same for Certificate. Trying to upload the second time this error occurred.

patoberli · ‎09-19-2018

I think you will need to generate a new CSR.
Did you reboot the WLC after you installed the first certificate? This is required.
Also, what was the reason for the invalid certificate? Wrong hostname, wrong certificate, ....?

Ivans.Pavlucenko · ‎09-19-2018

Yes i did a reboot.

Certificate from first try did install as i mentioned, but web authentication still was unable to trusted the WLC. So i thought that there may be an issue with the certificate and swap file a few times. In the end none of the Certificate can be installed.

I think i should start over with new CSR :(

I was trying to do this on a Virtual WLC , generating CSR from WLC (not through the OpenSSL).

patoberli · ‎09-19-2018

Just checked the manual. Please note the caveat that the certificate lacks a SAN if you generate it on the WLC. That means that Chrome will always mark it as not valid!
So better user Internet Explorer or maybe Edge/Firefox for testing. But if you want to have an accepted one in all browsers, you must use the OpenSSL way and make sure that the SAN is correctly filled out (the URL/Hostname must be in the SAN).

Ivans.Pavlucenko · ‎10-02-2018

We have created a certificate through openssl , and install it successfully but clients on web page still get untrusted certificate.

Certificate on WLC and at the client match.

But from pictures you can see there problem.

patoberli · ‎10-07-2018

The certification path is missing. Make sure to correctly format the certificate before uploading it.

Pay special attention to this part in the manual: Option B: Obtain the Final.pem File from a Third-Party CA

ajc · ‎09-21-2018

The error that you are getting is an incorrect structure in the composed file consisting of the wlc cert, intermediate, root and encryption key. I got the same error in the past when I was following the cisco procedure which is not totally accurate so I created my own.