Generate CSR for Third Party Cert and Download unchained cert on Wireless LAN Controller (WLC)


Nov 26, 2011 12:40 AM
Nov 26th, 2011


This Blog explains How to Generate a Certificate Signing Request (CSR) in order to obtain a third-party certificate and how to download an unchained certificate to a Wireless LAN Controller (WLC).


Trying to install a webauth certificate on a WLC (5508 6.0.188). After following the "Generate CSR for Third-Party Certificates and  Download Unchained Certificates to the WLC" document, when try to upload the .pem file, getting "the error installing certificate" prompt.


No errors with OpenSSL.


  1. The OpenSSL versions available from do not create a final.pem that work with the WLC.
  2. download OpenSSL using this link and installed into C:\OpenSSL (It tries to install to program files, install location doesn't matter I just like it on the root of C)

   3.  Follow all of the steps outline on "

Generate CSR for Third-Party Certificates and Download Unchained Certificates to the WLC

".4.     Uploaded the final.pem file and it install without any problems.5.     In this example this Certificate used is from RapidSSL, so it could be from others as well.


In case of this is a renewal cert i.e. second time install on WLC, Don't forget to keep the original copy of OpenSSL that worked for the first time.   That will make cert renewal much easier.


Sometimes Open SSL v 1.x seems to cause issues. Some TAC engineers always used v0.9.8 also asked that the CSR doc have notes added to them mentioning issues with 1.x. Also they checked the chained and unchain CSR doc for the WLC and both do now contain a note about using v0.9.8:

Generate a CSR

Complete these steps in order to generate a CSR:

  1. Install and open the OpenSSL application. In Windows, by default, openssl.exe is located at C:\ > openssl > bin.Note: Cisco recommends that you use OpenSSL v0.9.8 for Windows.

Additional formation

WLC versions and later support chained certificates (up to a level of 2)

Certificate Levels

Level 0 – Use of only a server certificate on WLC

Level 1 – Use of server certificate on WLC and a CA root certificate

Level 2 – Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.

Level 3 -  Use of server certificate on WLC, two CA intermediate certificate, and a CA root certificate.

The Anchor WLC is configured with HTTPS. When a guest user connects to the wireless guest network they will be presented with a WLC self signed certificate or an expired certificate. As such, this will cause the “please accept” this certificate screen.

Reference Link

Generate CSR for Third-Party Certificates and Download Unchained Certificates to the WLC

This document was generated from the following discussion: error installing certificate - help

Average Rating: 0 (0 ratings)


rob.simkins Tue, 02/28/2012 - 01:22

Consider an enterprise setup as follows:

Foreign WLC (web-auth redirect to NAC Guest Server) > Anchor WLC

Which devices need a 3rd party trusted cert in this setup?  All?

George Stefanick Sat, 03/24/2012 - 11:15 (reply to rob.simkins)


As Drew point out its the anchor and guest server. Rule of thumb, whereever the client gets dropped is where the cert / guest page happens.

anbetz Thu, 03/22/2012 - 10:08

Hi Rob,

The Anchor WLC, and NAC Guest Server will both need a trusted SSL certificate.  The Foreign WLC does not require this.




Login or Register to take actions

Related Content

Blogs Leaderboard

Rank Username Points
1 25
2 5
Rank Username Points