WLC 5508 fails to install 3rd Party Web Auth Certificate

anthony.r.gray · ‎09-29-2016

Hi there,

Spent too much time trying to get this to work.

Customer has 4 x 5508 WLC's at various sites.

I have followed all the Cisco videos and guides for creating, formatting and uploading chained certs to a WLC.

The transfer completes via TFTP but then fails to load the certificate.

Cisco advise must be 5.1.151.0 or higher ----- currently the controllers are 7.2.110.0

We have the final-cert.pem file loading ok on a test WLC running 8.1.120.0 with no issues

Certificates are Thawte CA - the obvious move would be upgrade the controllers but that isn't an option for customer right now.

Debugs:

WLC Debug commands

debug transfer all enable --------- transfers over ok
debug pm pki enable ------ failed to validate certificate error (doesn't even get to the password checking on upload

As stated, my colleague was emailed the final-cert.pem file and worked when he uploaded to a WLC5508 on a later version ok. I'm stumped why it won't work on the version 7.2.110.0 as the process is well documented working on earlier versions than this.

Any help appreciated.

Tony

Ric Beeching · ‎10-01-2016

For lack of any other response.. Can you try playing around with the Public Thawte CA keys? I had a similar issue as you've stated with a Geotrust one and ended up fixing it by playing around with the CA keys in the pem file.

https://www.thawte.com/roots/

Also have you created the final pem file with the correct (lower) version of Open SSL? I know the WLCs aren't a fan of later versions of Open SSL.

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts

anthony.r.gray · ‎10-02-2016

Hi Ric,

Many thanks indeed for your response. I've been using Open SSL 0.9.8 and even used 0.9.6 but same result.

I think you may be on the right track ref the keys and chaining. As i said, i know i have the final-pem correctly chained for a later version of code on the test WLC as it accepts the certs. I think the older version has an incompatibility with the signature algorithm.

The original Thawte CA certs on the controller indicate DV SSL CA which I think uses Signature Algorithm: sha1WithRSAEncryption

The new ones issued by Thawte are DV SSL CA - G2 - which i think uses Signature Algorithm: ecdsa-with-SHA384

I've been wondering what the G2 refers to. When I open the older device cert in notepad it is much smaller than the new cert, which may be the additional encryption.

I hope im on the right track here and not going off on a tangent.

I wonder if Thawte CA will create an older style device DV SSL cert (non G2)

I'll let you know.

Thanks, again Tony

anthony.r.gray · ‎10-02-2016

Well, unless I'm mistaken, I think I know what the issue is:-

WLC code 7.2.110.0 --- only supports SHA1 and the certificates I have are SHA2 algorithm.

Newer versions of WLC code seem to support the SHA2 signature algorithms but older code cannot understand the encryption.

Now, I will either have to upgrade or ask Thawte CA if they can provide SHA1 certs.

Going forward, there's a SHA1 depreciation timeline and Google Chrome will treat such sites as secure but with minor errors.

Kristian Krogsgaard Larsen · ‎10-12-2016

We use two different final.pem file, one for 7.6 and up and one for 7.5 and down: LINK

Note: In WLC Version 7.6 and later, only chained certificates are supported in the WLC for web authentication.