WLC9800 Install Certificate and it works for webauth but not webadmin

TRNnHelp · ‎05-23-2024

I have a certificate installed and working on my WLC9800 for webauth. The same certificate does not seem to be working for Webadmin.

For Webadmin I went into administration > management > HTTP/HTTPS/Netconf/VTY and changed the trustpoint to the one I used for webauth with the working certificate. But still get a not secure when I go into the controller. Is there something else that needs to be done to have it work for Webadmin?

marce1000 · ‎05-23-2024

- Review this documentation : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/221047-understand-certificate-and-trustpoint-ty.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

TRNnHelp · ‎05-23-2024

I did this and it shows the correct trustpoint certificate but I still get Your connection is not private when I access the controller

9800#show ip http server status | include trustpoint
HTTP secure server trustpoint: .pfx <-- trustpoint configured for HTTP services
HTTP secure server peer validation trustpoint:

marce1000 · ‎05-24-2024

- Make sure that the certificate is from a well known provider and or contains a valid CA ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

TRNnHelp · ‎05-28-2024

The certificate is working for webauth. Its a wildcard cert from known provider. Yes i restarted.

Rich R · ‎05-28-2024

You did not answer most of my questions which @Wes Schochet also expanded on ...

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

TRNnHelp · ‎05-29-2024

Its working now the issue was i needed to access the gui using the fully qualified domain name for it to work.

Rich R · ‎05-24-2024

1. What is the REASON for the "not private" in the browser? (click on the warning to see more details and the actual certificate)
2. Is the browser seeing the certificate you think you enabled?
3. Did you restart the web server as per the instructions?
4. Does the certificate exactly match the DNS FQDN you are using to access the WLC? eg https://mywlc.mycompany.com

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Wes Schochet · ‎05-24-2024

Rich is asking the right questions. I have been through this quite a bit.

First, you need to make sure the entire trust chain is included in the pfx. Then, make sure any name that you would use int the URL is either the CN of the certificate or a SAN. I usually use the following:

CN = 5520-1.myco.org
SAN DNS1=5520-1
SAN IP = 10.1.1.1 (IP for GigabitEthernet1)
SAN IP = 10.2.1.1 (IP for SVI for Wireless Management interface)

This way, all of your bases are covered.