This Blog explains How to Generate a Certificate Signing Request (CSR) in order to obtain a third-party certificate and how to download an unchained certificate to a Wireless LAN Controller (WLC).
Trying to install a webauth certificate on a WLC (5508 6.0.188). After following the "Generate CSR for Third-Party Certificates and Download Unchained Certificates to the WLC" document, when try to upload the .pem file, getting "the error installing certificate" prompt.
No errors with OpenSSL.
- The OpenSSL versions available from www.openssl.org do not create a final.pem that work with the WLC.
- download OpenSSL using this link http://www.ingate.com/files/Win32OpenSSL-0.9.6-1.0.zip and installed into C:\OpenSSL (It tries to install to program files, install location doesn't matter I just like it on the root of C)
3. Follow all of the steps outline on Cisco.com "
".4. Uploaded the final.pem file and it install without any problems.5. In this example this Certificate used is from RapidSSL, so it could be from others as well.
In case of this is a renewal cert i.e. second time install on WLC, Don't forget to keep the original copy of OpenSSL that worked for the first time. That will make cert renewal much easier.
Sometimes Open SSL v 1.x seems to cause issues. Some TAC engineers always used v0.9.8 also asked that the CSR doc have notes added to them mentioning issues with 1.x. Also they checked the chained and unchain CSR doc for the WLC and both do now contain a note about using v0.9.8:
Complete these steps in order to generate a CSR:
- Install and open the OpenSSL application. In Windows, by default, openssl.exe is located at C:\ > openssl > bin.Note: Cisco recommends that you use OpenSSL v0.9.8 for Windows.
WLC versions 126.96.36.199 and later support chained certificates (up to a level of 2)
Level 0 – Use of only a server certificate on WLC
Level 1 – Use of server certificate on WLC and a CA root certificate
Level 2 – Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.
Level 3 - Use of server certificate on WLC, two CA intermediate certificate, and a CA root certificate.
The Anchor WLC is configured with HTTPS. When a guest user connects to the wireless guest network they will be presented with a WLC self signed certificate or an expired certificate. As such, this will cause the “please accept” this certificate screen.
Consider an enterprise setup as follows:
Foreign WLC (web-auth redirect to NAC Guest Server) > Anchor WLC
Which devices need a 3rd party trusted cert in this setup? All?
The Anchor WLC, and NAC Guest Server will both need a trusted SSL certificate. The Foreign WLC does not require this.
Its the anchor and guest server. Rule of thumb, wherever the client gets dropped is where the cert / guest page happens.
This document was generated from the following discussion: error installing certificate - help