Solved: WLC2504 - GoDaddy.com certificate

smunzani · ‎09-10-2012

Team,

Did anybody try to use godaddy.com SSL certificate with Cisco WLC to get rid of untrusted certificate warning when the guest do captive portal authentication? Godaddy is not root authority and its intermediate authority that's why asking. Can you please guide me to any instructions?

George Stefanick · ‎09-10-2012

Scott is on the ball this evening, "fo sure".

I just did a CSR and loaded it on my anchors today so a lot of this is fresh in the mind.

You will need to generate a CSR. The WLC GUI doesnt do this. You will need OpenSSL. If you use OpenSSL make sure you dont use a light version, it needs to be a full version. I used 0.9.8x today without any issues. Also make sure the cert is SHA1, SHA2 isnt supported. I learned that today the hardway

I also recorded step by step on my blog this process ..

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Stephen Rodriguez · ‎09-10-2012

Go Daddy should work, so long as the client has the Go Daddy Root Cert installed. Go Daddy isn't always in the list of the trusted root CA that's there by default on machines.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Scott Fella · ‎09-10-2012

Just to add to Steves post. I have used GoDaddy chained certificates in a bunch of my recent installs with no problems at all.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

smunzani · ‎09-10-2012

Did you have to do anything special or simply generate CSR from the GUI and send it to godaddy to sign? Usually godaddy certificates are intermediate CA so it takes extra steps before the certificates gets recognized. Its easy step on the servers but I don't know if there is such thing for the WLC device.

Thanks,

Scott Fella · ‎09-10-2012

I follow this doc all the time and the other doc is a support doc:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

https://supportforums.cisco.com/docs/DOC-16220

When you get the intermediate and the device cert back from the vendor, I usually just take the device cert then open it up and then copy the intermediate and then the root. Then I combine it all as what the instructions are.

When creating the CSR, I make sure that is specify the 2048bit and don't use a password. I use the password when I'm in the last few steps of converting the combined certs into the final pem file.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎09-10-2012

Scott is on the ball this evening, "fo sure".

I just did a CSR and loaded it on my anchors today so a lot of this is fresh in the mind.

You will need to generate a CSR. The WLC GUI doesnt do this. You will need OpenSSL. If you use OpenSSL make sure you dont use a light version, it needs to be a full version. I used 0.9.8x today without any issues. Also make sure the cert is SHA1, SHA2 isnt supported. I learned that today the hardway

I also recorded step by step on my blog this process ..

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎09-10-2012

haha... only sometimes George Most of my installs I like for my clients to purcahse a 3rd party cert and since GoDaddy is cheap, why not use them. One thing that Steve mentioned and I will say again, is take a look at the Root CA and make sure that its one of the trusted root CA's in the client. Some vendors might generate the cert on a newer root CA and some of your clients will get an error message. If this happens, you can request that the vendor generate it with a different CA.

Good blog George!

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎09-10-2012

Didnt know you can request a new root CA signed by someone else from Go Daddy ... Talk about GO DADDY. What a mess.

Oh, BTW do you have the client do the CSR and the 9 yards ? Or do you normally handle that ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎09-10-2012

I normally handle the whole thing except for purchasing the certificate.

So I would generate the csr and have the client verify all the information before generating that. hen after they get the certificate, I will combine the various certificates and then using openssl for everything, generate the pem file that needs to be uploaded to the WLC.

Its easier for me, because it save me time to troubleshoot why its not working. For me, It takes me less than 30 minutes while I drink my coffee, but if I get a pem file from the client and it fails, well it take a lot more time to get it fixed.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎09-10-2012

GoDaddy has been issueing the certificate form the "Go Daddy Class 2 Certification Authority" Root CA in the last 5 or so I have done with them.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Stephen Rodriguez · ‎09-10-2012

Tell me about it. When i used to get a case I would end up just redoing the CSR most of the time.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

George Stefanick · ‎09-10-2012

Wait .. So what are you using to create the csr and private key, not OpenSSL ?

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎09-10-2012

No... I do use OpenSSL v9.8.x and not OpenSSL v1.x (doesn't work)... Sorry for the confusion

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎09-10-2012

Like I tell all my peers... "sometimes it's better to do it yourself"

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎09-10-2012

Here is the cert from GoDaddy, the last 5 or so times:

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***