Good afternoon,
Recently it was required to rebuild the PKI certificate and trustpoints for our cisco WLC (9800-CL). This was due to our internal audit team having concerns that the intial common name was the same as the trustpoint, and not matching the host name. In addition, the attached IP was incorrect.
To correct this i followed cisco documention noted here: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/trustpoints/b-configuring-trustpoints-on-cisco-catalyst-9800-series-controllers/c-workflow-to-configure-a-trustpoint-for-a-third-party-certificate-on-catalyst-9800.html
I created a new trust point with a new pair of RSA keys, careful to make the CN match to the device name. As noted in this document:
Domain Name/Common Name
"Refers to the subject to which the certificate will be issued to. The fully qualified domain name (FQDN) of the controller. This must match exactly what you type in your web browser to reach the controller, or you will receive a name mismatch error. Depending on what your certificate requirement is for (webauth, webadmin, AP join) You must specify either the virtual IP address of your 9800 controller, the hostname associated with the virtual IP address of your 9800 controller, the management IP address or the hostname associated with the management IP address."
Since we are using the self signed certificate for the AP joins (ala wireless config vwlc-ssc key-size 2048 signature-algo sha256 password x), i believed this TP was for the webadmin and therefore created the CN with the hostname. Since our G1 is our WMI, and it is a VM therefore that IP is a virtual management IP address.
I then used "crypto pki authenticate trustpoint" and created a trustpoint for our coporate root CA and our local interi CA. I trusted the intermediate CA to my new trustpoint, since it's the one doing the singing. One this was done i issued "crypto pki enroll trustpoint" on that trustpoint and provided the terminal (on screen) enrollment to the team with CA access. Once i received back my signed certificate, at which point i issued "crypto pki import trustpoint certificate" and pasted in the provided signed certificate.
This was accepted without issue. I can run "show crypto pki certificates <trustpoint>" and see the certificate, now with proper hostname and ip address. I can also see my root and int cas on the respective trustpoints.
Since i wanted to get web admin going again, i issued "ip http secure-server trustpoint" to my int. trustpoint and regained webadmin after AAA config at cli. In order to get AP's back online, i then issued command "wireless config vwlc-ssc key-size 2048 signature-algo sha256 password <pw>", though i stepped up the key size and sha. APs then were able to rejoin via CAPWAP and discover the controller.
However, APs now display wlan_crypto_encap:key is null, along with a constant clean air issue. They will hang at:
[*04/24/2025 18:22:56.8175] CLEANAIR: Slot 0 enabled
[*04/24/2025 18:23:00.8234] CLEANAIR: Slot 0 config change
[*04/24/2025 18:23:00.8242] CLEANAIR: Slot 1 channel change chk
[*04/24/2025 18:23:18.9035] CLEANAIR: Slot 0 enabled
[*04/24/2025 18:23:18.9048] CLEANAIR: Slot 2 channel change chk
Or possibly at ***cap stop for radio 1*** while inserting "wlan_crypto_encap:key is null". So clearly, i've broken something somewhere. Is there a field the password for the self-signed certificate should be added? Have i over looked a step somewhere?
Thank you for any assistance.
