WLC 4402 - Certificate & URL

Unanswered Question

WLC 4402

Software Version


I have a certificate that I am trying to import into WLC. When using "transfer download start" I get the following error: "error installing certificate".

When I use "debug pm pki enable" functionality I see this as the cause of the above error: "sshpmDecodePrivateKey: private key decode failed..." and "sshpmAddWebadminCert: key extraction failed."

What do I need to do to resolve this error? I followed all the instructions regarding using openssl to request a csr.


When a user gets redirected to authenticate they get " as the URL and they get the login page. When I change the DNS host name in 'virtual' interface to https://wifi.ourdomain.com the user gets a "Page not found" instead of a login page? I cannot add a DNS entry to in our DNS servers (does not recognise as valid IP) so what do I need to do?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mruhenkamp Thu, 01/10/2008 - 08:39

Did you by chance get your Certificate problem resolved? I am having the exact same issue.

Scott Fella Tue, 01/15/2008 - 14:44

You have to make sure you set a password on the pem file you are trying to upload and enter the password when you tftp the webauth cert.

After you successfully upload the cert to the WLC then go to the VIP Interface and enter the wifi.ourdomain.com in the DNS Name box. You can change the Virtual IP to a private IP that you are not using in your network... 192.168.253.x or something like that. The certificate DN=wifi.ourdomain.com and the VIP DNS name wifi.ourdomain.com has to resolve of else you will get the "Page not found".

securityfirst Fri, 01/18/2008 - 06:58

We've got same issue here with 4.2.61.

Certificate Password is set and verified, cert is PEM encoded, and not chained.

show debug transfer all enable

show debug pm pki enable

Be aware that each unsuccessfull try force you to reset the controler. After many tries we've noticed that the WLC keeps installing the same certificate, even if you tftp a new one, until you do reset the device.


TFTP Webauth cert transfer starting.

Locking tftp semaphore, pHost= pFilename=wifiguest.tr

Semaphore locked, now unlocking, pHost= pFilename=wifiguest.tr

Semaphore successfully unlocked, pHost= pFilename=wifiguest.tr

TFTP: Binding to local= remote=

TFP End: 2323 bytes transferred (1 retransmitted packets) <--- actual size of certificate file

tftp rc=0, pHost= pFilename=wifiguest.tr pLocalFilename=cert.p12

RESULT_STRING: TFTP receive complete... Installing Certificate.


TFTP receive complete... Installing Certificate.

Adding cert (2303 bytes) with password "" <-- size not good, password blank?

sshpmAddWebauthCert: extracting private key from webauth cert; pwd: <>.

sshpmDecodePrivateKey: private key decode failed...

sshpmAddWebauthCert: key extraction failed.

RESULT_STRING: Error installing certificate.


Error installing certificate.

My guess is that the certicate password is not set (even if we initiated transfer webauth cert password), resulting in a decoding error. Perhaps that the blank password in logs is a security, but we also got an error when using the web method to upload web auth certificate saying "error setting web auth cert password" or something like that....

DJCanuck1_2 Fri, 01/18/2008 - 09:08

Has anyone resolved the DNS registration issue to I have generated an internal cert from our root CA and have this working with the IP address internally. My question is regarding registering a public certificate to the address During the web authentication, we would like the end user not to be prompted with the WLV certificate warning by using a publicly trusted cert. Is this possible for the IP

Scott Fella Fri, 01/18/2008 - 09:12

When you request a certificate, you specify the DN to a DNS name you will resolve to This will work. If you don't want the user to see the, use a private IP address that you currently are not using and resolve the DN and DNS to that IP.

DJCanuck1_2 Fri, 01/18/2008 - 09:21

So are you saying that the WLC virtual interface can use an IP other that I didn't think you could change this....

Scott Fella Fri, 01/18/2008 - 10:01

yes you can... just make sure if you have any other controllers in the mobility group that all have the same VIP address.

craig.eyre Thu, 06/12/2008 - 08:26

Sorry to bud in but if I read this right regarding the same IP for each VIP in a mobility group. Can you use the same ssl certificate for say 3 wlc's in the same mobility group?


Scott Fella Thu, 06/12/2008 - 08:30

Yes you can. For example, if you have 2 guest anchor controllers, you can use the same ssl cert for both the guest controllers. You just have to make sure the VIP is the same and the DNS Name is the same.

craig.eyre Thu, 06/12/2008 - 11:46

Thanks Fella,

One more question, do I need to create an actual DNS record on our dns server for the new private ip address for the VIP.

E.g. If I change from to and add wifi.bob.com. Do I need a dns entry on our dns server or do I just need to certificate to match my changes?

Thanks again.

Scott Fella Thu, 06/12/2008 - 11:50

When you create the CSR, you have a CN field that equals to wifi.bob.com. You have to resolve that name to the VIP. If you don't, you will get the certificate error.

craig.eyre Wed, 06/18/2008 - 07:58


The virtual interface is in essence a dummy interface so to speak. I assume that once your wireless clients get their dhcp information that they get your local dns servers as well?

I just created and entry on the dns server for the "virtual" interface e.g. dns name wifi. This should append to your normal domain name like wifi.bob.com.

On the controller just change the virtual interface to dns name wifi (or whatever you decide on) apply it and then you'll need to restart the controller.( you could wait to restart as you need to restart after you apply the new certificate)

Go get a SSL cert from either RapidSSL, Thawte, Verisign etc.... and follow the following document to make and apply the cert.


You can get a test cert from thawte to make sure that you created everything right before you purchase the correct one. Don't want to have to buy a second cert if you mess up the first one.


Anymore questions just let me know.


>I assume that once your wireless clients get

>their dhcp information that they get your

>local dns servers as well?

No, they get the DNS servers of our ISP, on their way through our custom-written, installed-on-the-controller portal. I guess I should have mentioned that this is a public-access municipal wifi zone. So of course we don't have the ability to create a mapping in that DNS, and (the viritual IP) isn't public anyway.

It makes sense to create a cert for the virtual interface name, but I guess I have no way for the cert to reverse lookup for verification...

fmarottactg Tue, 04/29/2008 - 09:01

I am having the same issue.

TFTP receive complete... Installing Certificate.

Tue Apr 29 08:56:51 2008: Still waiting! Status = 2

Tue Apr 29 08:56:54 2008: Adding cert (2851 bytes) with password ""

Tue Apr 29 08:56:54 2008: sshpmAddWebauthCert: extracting private key from webauth cert; pwd: <>.

Tue Apr 29 08:56:54 2008: sshpmDecodePrivateKey: ssh_skb_get_info() failed.

Tue Apr 29 08:56:54 2008: sshpmAddWebauthCert: key extraction failed.

Tue Apr 29 08:56:54 2008: RESULT_STRING: Error installing certificate.

Tue Apr 29 08:56:54 2008: RESULT_CODE:12

Tue Apr 29 08:56:54 2008: ummounting: cwd = /mnt/application

Tue Apr 29 08:56:54 2008: finished umounting

Has anyone been able to resolve this?

Scott Fella Tue, 04/29/2008 - 10:05

Looks like you didn't create the pem file correctly. use this doc to create a valid CSR.


Once this is installed on the WLC, you then need to go to the VIP interface and put the DNS that you used in the CN for the cert. You will have to reboot the WLC after this. Make sure you can resolve the homepage of the user or else you will get "page cannot be displayed". Also if you have a proxy, then it will fail and you will have to disable proxy and after authentication, then enable proxy.

marcin.waliczek Sun, 04/10/2011 - 01:19


I have the same problem now:

sshpmDecodePrivateKey: ssh_skb_get_info() failed

It seems that this is not a problem of certificate itself, because it works on two WLCs (installed in December 2010), but can't install now on other WLCs.

Any ideas ?



Scott Fella Thu, 02/14/2013 - 10:11

Yes you do... Looks like you found George's blog:)

Sent from Cisco Technical Support iPhone App

George Stefanick Thu, 02/14/2013 - 10:15

This is one my most visited blog post ,..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode