08-21-2013 12:35 PM - edited 07-04-2021 12:41 AM
I have a Cisco Wireless LAN Controller 5508, which uses 7.3.112.0. I have the VeriSign certificate but I received two intermediate files (primary and secondary), and my question is, which one do I use?
I have referred to this document from Cisco already and found no information on there:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
Thanks!
Solved! Go to Solution.
08-21-2013 01:46 PM
Look at these links
https://supportforums.cisco.com/docs/DOC-16220
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
Sent from Cisco Technical Support iPhone App
08-21-2013 03:15 PM
If that helped can you mark the post answered. Thanks
Sent from Cisco Technical Support iPhone App
08-21-2013 01:46 PM
Look at these links
https://supportforums.cisco.com/docs/DOC-16220
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
Sent from Cisco Technical Support iPhone App
08-21-2013 03:01 PM
Thanks Scott. That's helpful! Now I know what to do
08-21-2013 03:15 PM
If that helped can you mark the post answered. Thanks
Sent from Cisco Technical Support iPhone App
08-22-2013 07:26 AM
I spoke to VeriSign and they don't know anything about these Certificate Levels. Are there are any CAs out there that still give out one intermediate certificate that would work with the Cisco WLCs?
08-22-2013 08:23 AM
Nope... after I think in July 2010, all vendors migrated to a 2048 root CA which made all certs chained. They will no longer issue unchained certificates as that was a standard when they were using 1024.
Thanks, 
 
Scott 
 
Help out other by using the rating system and marking answered questions as "Answered"
08-22-2013 08:50 AM
Thanks Scott. So what does someone like me do who needs to use a SSL cert but can't install one because of this change?
08-22-2013 08:50 AM
Is there a way for me to use only one of the two intermediate certificates?
08-22-2013 08:55 AM
Nope.... you need to combine all the intermediates along with the device cert and the root.
Thanks, 
 
Scott 
 
Help out other by using the rating system and marking answered questions as "Answered"
08-22-2013 09:09 AM
Sorry if I sound stupid but in your previous replies, you sent a link with this following information in it:
Level 3 or higher is not supported
Level 3 - use of server certificate on WLC, two CA intermediate certificates and a CA Root Certificate.
So if I combine all the certificates as follows:
−−−−−−BEGIN CERTIFICATE−−−−−−
*Device cert*
−−−−−−END CERTIFICATE−−−−−−
−−−−−−BEGIN CERTIFICATE−−−−−−
*Intermediate CA primary cert *
−−−−−−END CERTIFICATE−−−−−−−−
−−−−−−BEGIN CERTIFICATE−−−−−−
*Intermediate CA secondary cert *
−−−−−−END CERTIFICATE−−−−−−−−
−−−−−−BEGIN CERTIFICATE−−−−−−
*Root CA cert *
−−−−−−END CERTIFICATE−−−−−−
It will work? Do all of these certs need to be in X.509 format?
Thanks!
08-22-2013 09:19 AM
That is a chained certificate.... if your looking at using a cert for management, you need an unchained cert, which is typically one intermediate.
Thanks, 
 
Scott 
 
Help out other by using the rating system and marking answered questions as "Answered"
08-22-2013 09:22 AM
I need a cert for the users on the guest WLAN network as I want to set it up using the Web Authentication. I don't need to install a certificate for management purposes. Any tips or guidelines you can provide?
08-22-2013 09:28 AM
Okay... so for webauth, you need to reference the guide I posted earlier. Then request a general ssl cert from whomever. You will get a device cert and a few intermediate certificates in which you will have to either export the root from the device cert or ask them to send you the root cert also. Then you bundle them up using OpennSSL Light v9.8.... I think v1.0 works, but better safe than sorry. Once you combine the cert, you upload that to the WLC and on the VIP interface you set the DNS hostname which is the FQDN of the cert. Make sure DNS the guest will use can resolve the FQDN to the VIP. Thats it.
Thanks, 
 
Scott 
 
Help out other by using the rating system and marking answered questions as "Answered"
08-22-2013 09:35 AM
The guide you posted doesn't say that two intermediates are supported. It says that two intermediates are not supported. So how would this work if they are not supported and I still combine them?
08-22-2013 09:38 AM
It's a level 2 cert:
Certificate Levels
So it would look like this:
------BEGIN CERTIFICATE------ *Device cert* ------END CERTIFICATE------ ------BEGIN CERTIFICATE------ *Intermediate CA cert * ------END CERTIFICATE--------------BEGIN CERTIFICATE------ *Intermediate CA cert * ------END CERTIFICATE--------------BEGIN CERTIFICATE------ *Root CA cert * ------END CERTIFICATE------
Thanks, 
 
Scott 
 
Help out other by using the rating system and marking answered questions as "Answered"
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide