Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4942
Views
5
Helpful
4
Replies

WLC: which software-version support SHA2 certificates for Web Authentification and Web Management ?

Carsten Ruckelshausen
Level 1
Level 1

‎12-12-2014 04:53 AM - edited ‎07-05-2021 02:07 AM

Hello,

 

I tried to install new SHA2 3th-Party certificates on our WLCs. There are old WiSM1-Boards and 2504 to support our old 1230 Access Points, running 7.0.251.2, which didn't install it, although the config manual for 7.6 and 8.0 say that SHA2 certificates are supported since 7.0.250.0. When I tried to install the SHA2-certificates I get the message "File transfer failed" an the log says:

*TransferTask: Dec 12 13:22:14.394: #UPDATE-3-CERT_INST_FAIL: updcode.c:1869 Failed to install Webauth certificate. rc = 1
*TransferTask: Dec 12 13:22:14.394: #SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4085 Cannot PEM decode private key

I tried to install the same certificates on our WiSM2-Boards, running 7.4.121.0 and I failed too. The same certificates could be installed on a 2504 running 8.0.100 without any problems.

In all 3 cases I tried to install unchained certificates for web management and Level 3 chained certificates  for web authentication. I used the following guides to get the certificates (e.g. taken from the config manual 8.0.100):

 

http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.pdf

 

Which software versions support SHA2 certificates and which didn't ? Is the a list for it ?

 

Regards

Regards,

C. Ruckelshausen
Labels:
0 Helpful
4 Replies 4

Saurav Lodh
Level 7
Level 7

‎12-12-2014 02:02 PM

Could be the bug : Need WLC Support for SHA-256 #CSCup57577

Known affected release : 7.4(121.0)

 

0 Helpful

Freerk Terpstra
Level 7
Level 7

‎12-12-2014 03:33 PM

The WLC supports SHA-2 certificates since release 8.0.100, so at this moment this is the only release where this is supported on.

0 Helpful

Carsten Ruckelshausen
Level 1
Level 1

‎12-16-2014 12:00 AM

Hello,

 

I solved the problem. First I used a Debian Linux system with Openssl 1.0.1. After I searched the internet using one of the log messages above I found sites which mentioned to use Openssl 0.9.x. So I tried a productive and security fixes Debian Linux System running Openssl 0.9.8 and I succeeded. The wlcs accepted the certificate files and used it after a reboot. The Web GUI still shows a SHA1 Fingerprint, but the certificate signature Algorithm is SHA2:

Signature Algorithm: sha256WithRSAEncryption

When you check the openssl.org homepage Openssl 0.9.8 is still one of the actual version of openssl and is still available and fixed. But the Openssl Roadmap says:

"We don't want to have to maintain too many branches. This is likely to include a timescale for the EOL of version 0.9.8"

I don't know the differences between certificates made with openssl 0.9.8 and 1.0.1. Is there anybody who can explain it to me ?

 

Regards

 

Regards,

C. Ruckelshausen

sestonenppd
Level 1
Level 1
In response to Carsten Ruckelshausen

‎05-16-2016 01:01 PM

Does the browser recognize it as a SHA-1 or SHA-2?  Or, in other words, will this allow us to create certificates that will continue to function after IE and Chrome start rejection HTTPS web pages using SHA-1?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card