Sure.  Official web site. Go to the download tab.

https://www.openssl.org/

-If I helped you somehow, please, rate it as useful.-

I have now converted the cert files into .pem format.

I now get the following debug output. Is this related to the certificate chain? Currently the certificate is in the format:

-----BEGIN CERTIFICATE-----

xxxx

-----END CERTIFICATE-----

pki debug:

*TransferTask: Mar 24 10:20:28.443: [PA] tftp rc=0, pHost=10.201.192.131 pFilename=/WebAuth.pem
                                                                                                    pLocalFilename=cert.p12

*TransferTask: Mar 24 10:20:28.458: [PA] RESULT_STRING: TFTP receive complete... Installing Certificate.

*TransferTask: Mar 24 10:20:28.458: [PA] RESULT_CODE:13

*TransferTask: Mar 24 10:20:32.466: [PA] Adding cert (2128 bytes) with certificate key password.

*TransferTask: Mar 24 10:20:32.466: [PA] Add WebAuth Cert: Adding certificate & private key using password
*TransferTask: Mar 24 10:20:32.466: [PA] Add ID Cert: Adding certificate & private key using password
*TransferTask: Mar 24 10:20:32.466: [PA] Add Cert to ID Table: Adding certificate (name: bsnSslWebauthCert) to ID table using password
*TransferTask: Mar 24 10:20:32.466: [PA] Add Cert to ID Table: Decoding PEM-encoded Certificate (verify: YES)
*TransferTask: Mar 24 10:20:32.466: [PA] Decode & Verify PEM Cert: Cert/Key Length was 0, so taking string length instead
*TransferTask: Mar 24 10:20:32.466: [PA] Decode & Verify PEM Cert: Cert/Key Length 2128 & VERIFY
*TransferTask: Mar 24 10:20:32.467: [PA] Decode & Verify PEM Cert: X509 Cert Verification return code: 0
*TransferTask: Mar 24 10:20:32.467: [PA] Decode & Verify PEM Cert: X509 Cert Verification result text: unable to get local issuer certificate
*TransferTask: Mar 24 10:20:32.467: [PA] Decode & Verify PEM Cert: Error in X509 Cert Verification at 0 depth: unable to get local issuer certificate
*TransferTask: Mar 24 10:20:32.467: [PA] Add Cert to ID Table: Error decoding (verify: YES) PEM certificate
*TransferTask: Mar 24 10:20:32.467: [PA] Add ID Cert: Error decoding / adding cert to ID cert table (verifyChain: TRUE)
*TransferTask: Mar 24 10:20:32.467: [PA] Add WebAuth Cert: Error adding ID cert
*TransferTask: Mar 24 10:20:32.467: [PA] RESULT_STRING: Error installing certificate.

Thanks in advance

I think this link will help you:

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

-If I helped you somehow, please, rate it as useful.-

*TransferTask: Mar 24 10:20:32.467: [PA] Decode & Verify PEM Cert: X509 Cert Verification return code: 0
*TransferTask: Mar 24 10:20:32.467: [PA] Decode & Verify PEM Cert: X509 Cert Verification result text: unable to get local issuer certificate
*TransferTask: Mar 24 10:20:32.467: [PA] Decode & Verify PEM Cert: Error in X509 Cert Verification at 0 depth: unable to get local issuer certificate

Looks like the file you try to import only contains the certificate of the WLC while it should contain the entire certificate chain, in this order: WLC, intermediate CA, root CA.

Also try to upgrade the WLC software and then give a try again as 8.3.133.0 is already deffered from cisco.

Regards

Dont forget to rate helpful posts

Actually to expand on my problem. I am not even able to TFTP the cert to the controller. I am getting a file transfer failed! I am certain that TFTP is not being blocked. However when I look at the log I see this below error. 

TransferTask: Jan 06 10:44:20.336: %UPDATE-3-CERT_INST_FAIL: updcode.c:3686 Failed to install certificate. rc = 1 so it does appear my issue is different.

---

@William Foster wrote:

Actually to expand on my problem. I am not even able to TFTP the cert to the controller. I am getting a file transfer failed! I am certain that TFTP is not being blocked. However when I look at the log I see this below error. 

TransferTask: Jan 06 10:44:20.336: %UPDATE-3-CERT_INST_FAIL: updcode.c:3686 Failed to install certificate. rc = 1 so it does appear my issue is different.

---

Enable PKI debugs and try the transfer again then post the output here. Also make sure you include the full certificate chain in the PEM file, not only the WLC certificate.

debug pm pki enable
transfer download start

Sorry for the delay in response. I was able to get this issue resolved. My cert was not formatted correctly. It had to be like below

------BEGIN CERTIFICATE------
*End Entity Certificate Content*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA Certificate Content*
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA Certificate Content*
------END CERTIFICATE------

Once I had the cert in that format then it downloaded the cert. So it is good to know if the cert is not correct then the WLC will not even download the cert.

@Scott Fella so what does someone do when a cert is uploaded, but rejected?  How do I dind out WHY it was rejected?

I have a correctly chained PEM certificate file.  It is accepted by the transfer download process and installed.  The CSR was generated by the CLI on the WLC (2504, runing 8.5) and it was signed by a Microsoft CA.

When I install this certificate, it blindly accepts it, makes me restart the WLC (really, really annoying having 2-3 mins of outage every time I "experiment") then no longer responds on port 443 for HTTPs for webadmin.

I am forced to generate a self-signed cert again to get access to the web GUI.

Some more debug help from the WLC would be most welcome here.  Is there a way to peek under the hood to actually see detail on why it isn't working?

Thanks in advance.