Solved: I'm using a CA from Symantec.

Dieter Poschag · ‎02-08-2016

I have a problem with Cisco WLC 5508 Version 8.0.121.0 and a new WEB certificate-
I create the certificate with openssl 0.9.8h and this command

.
req -config E:\OpenSSL98\share\openssl.cnf -new -newkey rsa:2048 -x509 -nodes -keyout mykey.pem -out myreq.csr

I send myreg.csr to my Certificate provider and they send me the new root certificate.
I copy in this root certificate and Symantec SHA-2 (under SHA-1 Root) Intermediate CA bundle: Managed PKI for SSL at one file CA.pem.
And I create the final.pem with this openssl command.

pkcs12 –export -in CA.pem -inkey mykey.pem –out All–certs.p12 -clcerts -passin pass:xxx -passout pass:xxx
pkcs12 –in All-certs.p12 –out final.pem -passin pass:xxx –passout pass:xxx

Then I copy the final.pem with tftp to the controller.
transfer download mode tftp
transfer download datatype webauthcert
transfer download serverip 10.x.x.x
transfer download path /
transfer download filename final.pem
transfer download certpassword xxx
transfer download start
And so I get following issue.
(Cisco Controller) >transfer download start
Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 10.x.x.x
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ /
TFTP Filename.................................... final.pem
This may take some time.
Are you sure you want to start? (y/N) y
TFTP Webauth cert transfer starting.
TFTP receive complete... Installing Certificate.
Error installing certificate.
This is the information from logging
Feb 08 13:41:22.869: [ERROR] ews.c 871: ewsRun: Bad State - should be suspended: 0x0
*TransferTask: Feb 08 13:38:08.573: #UPDATE-3-CERT_INST_FAIL: updcode.c:2554 Failed to install certificate. rc = 2

What can be the cause here, since I have the certificate last year created exactly so and because last year it worked fine!

derrickw7 · ‎02-27-2016

I managed to resolved it by using new CA bundle from Comodo. They inserted in additional root certificate.

View solution in original post

mohanak · ‎02-09-2016

Unable to get issuer certificate error -WLC 7.6 needs full cert

CSCuo74691

Description

Symptom:
WLC on version prior to 7.6 --- install cert for webauth --- upgrade to 7.6 ----> everything works fine
WLC on 7.6 --- install the same cert --- we get the following error -

UPDATE-3-CERT_INST_FAIL: updcode.c:2140 Failed to install certificate. rc = 2

Conditions:
Installing CERT on the WLC running 7.6 and the cert load fails due to Missing Root CA cert error

Workaround:
Get a chained certificate (including intermediate CA & root CA) from the CA and install it on the WLC.

Last Modified:

Jan 10,2016

Dieter Poschag · ‎02-09-2016

Hello Mohanak,

I have installt me cerificat including intermediate CA & root CA and still get this error.

mohanak · ‎02-09-2016

recheck the process : http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

Dieter Poschag · ‎02-09-2016

Hi Mohanak,

I found the issue, I had no device.cert (myreg.csr) information in the CA.pem file.

Creating a new file in notepad I pasted the X509 certs from Thawte, followed by the contents of keyout.pem in the format..

-----BEGIN CERTIFICATE-----

Device cert

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Intermediate cert

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Root Cert

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,

-----END RSA PRIVATE KEY-----

Thanks for the support

Dieter Poschag · ‎02-16-2016

So this problem is not fixed.
When I create the certificate as default by cisco, it becomes a private certificate and this running only 1 month. Without the Device cert it's running one year, but I can not be installed this certificate.

Has anyone any idea what I can do, to create a valid certificate.

Dieter Poschag · ‎03-09-2016

The problem is fixed.

I had a wrong root certificate from Symantec has been used to create the CA.pem.
Was solved with support from Cisco TAC Center

derrickw7 · ‎02-25-2016

I hit the same problem with version 8.0.121.0 also. Do you manage to find the solution?

Dieter Poschag · ‎02-25-2016

I opened a TAC Case at Cisco and I'll wait here for a response.

derrickw7 · ‎02-25-2016

Which CA are you using?

I'm using Comodo. I just logged a ticket. Hopefully they can help.

Dieter Poschag · ‎02-26-2016

I'm using a CA from Symantec.

derrickw7 · ‎02-27-2016

I managed to resolved it by using new CA bundle from Comodo. They inserted in additional root certificate.

WLC 5508 and WEB Certificate issue