02-08-2016 11:57 PM - edited 07-05-2021 04:35 AM
I have a problem with Cisco WLC 5508 Version 8.0.121.0 and a new WEB certificate-
I create the certificate with openssl 0.9.8h and this command
.
req -config E:\OpenSSL98\share\openssl.cnf -new -newkey rsa:2048 -x509 -nodes -keyout mykey.pem -out myreq.csr
I send myreg.csr to my Certificate provider and they send me the new root certificate.
I copy in this root certificate and Symantec SHA-2 (under SHA-1 Root) Intermediate CA bundle: Managed PKI for SSL at one file CA.pem.
And I create the final.pem with this openssl command.
pkcs12 –export -in CA.pem -inkey mykey.pem –out All–certs.p12 -clcerts -passin pass:xxx -passout pass:xxx
pkcs12 –in All-certs.p12 –out final.pem -passin pass:xxx –passout pass:xxx
Then I copy the final.pem with tftp to the controller.
transfer download mode tftp
transfer download datatype webauthcert
transfer download serverip 10.x.x.x
transfer download path /
transfer download filename final.pem
transfer download certpassword xxx
transfer download start
And so I get following issue.
(Cisco Controller) >transfer download start
Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 10.x.x.x
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................ /
TFTP Filename.................................... final.pem
This may take some time.
Are you sure you want to start? (y/N) y
TFTP Webauth cert transfer starting.
TFTP receive complete... Installing Certificate.
Error installing certificate.
This is the information from logging
Feb 08 13:41:22.869: [ERROR] ews.c 871: ewsRun: Bad State - should be suspended: 0x0
*TransferTask: Feb 08 13:38:08.573: #UPDATE-3-CERT_INST_FAIL: updcode.c:2554 Failed to install certificate. rc = 2
What can be the cause here, since I have the certificate last year created exactly so and because last year it worked fine!
Solved! Go to Solution.
02-27-2016 02:27 PM
I managed to resolved it by using new CA bundle from Comodo. They inserted in additional root certificate.
02-09-2016 01:45 AM
02-09-2016 01:58 AM
Hello Mohanak,
I have installt me cerificat including intermediate CA & root CA and still get this error.
02-09-2016 06:02 AM
02-09-2016 07:12 AM
Hi Mohanak,
I found the issue, I had no device.cert (myreg.csr) information in the CA.pem file.
Creating a new file in notepad I pasted the X509 certs from Thawte, followed by the contents of keyout.pem in the format..
-----BEGIN CERTIFICATE-----
Device cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root Cert
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,
-----END RSA PRIVATE KEY-----
Thanks for the support
02-16-2016 01:47 AM
So this problem is not fixed.
When I create the certificate as default by cisco, it becomes a private certificate and this running only 1 month. Without the Device cert it's running one year, but I can not be installed this certificate.
Has anyone any idea what I can do, to create a valid certificate.
03-09-2016 06:29 AM
The problem is fixed.
I had a wrong root certificate from Symantec has been used to create the CA.pem.
Was solved with support from Cisco TAC Center
02-25-2016 10:42 PM
I hit the same problem with version 8.0.121.0 also. Do you manage to find the solution?
02-25-2016 11:04 PM
I opened a TAC Case at Cisco and I'll wait here for a response.
02-25-2016 11:39 PM
Which CA are you using?
I'm using Comodo. I just logged a ticket. Hopefully they can help.
02-26-2016 12:06 AM
I'm using a CA from Symantec.
02-27-2016 02:27 PM
I managed to resolved it by using new CA bundle from Comodo. They inserted in additional root certificate.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: