Certificate questions for WebAuth clients

Unanswered Question
Jul 23rd, 2007


I have a few questions about certificates as I am debating on purchasing a 3rd party certificate for webauth clients. I'm running WCS and my 4404's are on

1. Which type of certificate is preferred, between self-signed and 3rd party (verisign, rapidssl, etc)? Which works better and is easier to set up between the two types?

2. Does the CN need to be the virtual interface's DNS hostname, or can it be the actual virtual address (

3. If it needs to be DNS, does the CN have to be 'hostname.domain.com' or just 'hostname'?

4. Does the DNS name for the virtual interface need to be registered and active on the DNS servers?

5. If self-signed certificates are preferred, how do I change the parameters (ie, the CN) of the certificate on the controllers to remove the error messages of 'invalid hostname' by putting in a valid one?

6. Will having a valid certificate affect any other WLAN/SSID in some way (that don't have webauth)?

Thank you for your time on answering these.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
irisrios Fri, 07/27/2007 - 13:26

If you have WCS you can use Self signed certificates . WCS can be use templates to pish the Valid AP list to controllers.

jpeterson6 Tue, 07/31/2007 - 06:00

Thanks for the reply.

However, I still need to know the answers to at least questions 2,3,4 and 5 before I use self-signed certificates without the popup saying the certificates are invalid.

I already have self-signed running for my webauth SSID but I want to get rid of the error, hence the questions. The main reason being this is a campus environment so I do not have access to the client laptops- many students use their own.

Can anyone answer these please?

andrew.brazier@... Sat, 08/04/2007 - 12:54

Although I don't have much experience with WCS my advice with certs is always buy one, might cost more but it's much less hassle! In answer to your questions:

1. 3rd party, go to www.rapidssl.com. 1 year cert, 60 bucks. Bargain and the whole process takes 20 minutes.

2. I believe the CN would need to be the fqdn, hostname.domain.com.

3. See above.

4. Not as far as I know, never needed to do this for any other type of box.

5. Don't go there!

6. I'd be very surprised if it did.

Hope this helps. : )

jpeterson6 Fri, 08/24/2007 - 10:43

Based on the advice to 'not go there' regarding configuring the CN of a self-signed cert, I've decided to go with 3rd party.

Now a new question surfaced once I started looking into where to get one. Am I looking for a root cert or an intermediate? I'm pretty sure it's root that I'm looking for but a little extra confirmation wouldn't hurt.

andrew.brazier@... Fri, 08/24/2007 - 23:41

To be honest, I don't know what they're called : )

Having said that I get my certs from www.rapidssl.com. All you need do is generate a Certificate Signing Request, go to the web site andwork through the submission and order process pasting in your CSR when prompted. At the end of it you'll get an email with your certificate enclosed. After that the final step is to install the cert on your box. The corresponding root cert is built into Windows so no need for any installations on any client devices.

jpeterson6 Wed, 08/29/2007 - 08:47

While the WCS runs on a Windows box, the two devices it controls (the WLC's) are where the certificates will be installed. These devices are Cisco hardware/software so they do not have windows.

Though based on that it's looking like I need to have a root cert generated.


This Discussion



Trending Topics - Security & Network