applying ssl certificates to the 4404 controller

Unanswered Question
Apr 24th, 2009
User Badges:

How is this done? We bought a certificate file and have 2 4404 controllers.


Where do I go to apply this and how do I apply this?


Also will my single cert work for 2 controllers?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Scott Fella Sat, 04/25/2009 - 05:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Is this cert for guest or for management. If it is for guest, then you can use it on multiple wlc, if it is for management, then no. The reason is that when you generated the CSR, you specified a CN which you will resolve via DNS. For management, you have different ip address for management, so you will need one per wlc. For guest webauth, you use the VIP to resovle the CN so you can use that on multiple wlc's.


To install the cert for management, you would click on the management tab on the wlc and then on HTTP and check Download SSL Certificate, enter the info and hit apply.


To install the cert for webauth, you would click on Security tab, then Web Auth then certificate.Fill in the info and hit enter.


Hope this helps.

Starthorn Tue, 04/28/2009 - 03:13
User Badges:

When you say Guest and Management do you mean an interface or do you mean a type of cert?


Same for Guest..I know you can make local accounts on the controllers that are called guest accounts.


Here is what we are trying to do. When students connect to the student SSID and open up a web page they are directed to web page to login (webauth) with LDAP User name and pass. Before they get to the webaut page their computer tells them that we don't have a cert and asks if they should trust the web page etc. We don't want this

Scott Fella Tue, 04/28/2009 - 04:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Then you need to generate and load an ssl cert for webauth. I use RapidSSL since they give you a root ca certificate and not a chained cert.... soo much eaiser. Also chained is only supported on the 5.1.151.0 and later code. You need to generate a CSR by following this link. Again, get a RappidSSL cert and also you will need to download Open SSL to generate the CSR. Then upload that to your WLC. The CN name you will have to resolve in DNS to get rid of that error.


On the WLC, you need to enter that DNS CN in the VIP interface. There is a spot for you to put that in. You will need to reboot your wlc after you add the CN to the VIP interface in order for it to take place.


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml


Win32 OpenSSL:


http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8k.exe


Starthorn Tue, 04/28/2009 - 04:18
User Badges:

We already have one from VeriSign. We already downloaded the cert file.


So would this go under the security heading or the managment heading?

Scott Fella Tue, 04/28/2009 - 04:42
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

VeriSign is a chained cert, so you need 5.1.151 code on the WLC. You would go under the Security tab and then there is a WebAuth tab on the left side. Check the box and fill out the info and hit apply. You will need to reboot the wlc and don't forget to add the CN to the VIP interface.

Starthorn Tue, 04/28/2009 - 04:48
User Badges:

Thanks for all the help. I have another question though.


Can we use a private IP like 172.16.1.2 for the Cert or does it have to be external ip ?

Scott Fella Tue, 04/28/2009 - 05:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

You can use a private ip, but the VIP should not be on any subnet you are using on your network. What ever the clients are using as a dns obtained from dhcp, you will need that dns server to resolve that ip address.

George Stefanick Wed, 04/29/2009 - 04:51
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Thanks Fella ... i didnt know that about the man. cert !

Scott Fella Wed, 04/29/2009 - 04:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

No problem.... so did you get it working?

Starthorn Wed, 04/29/2009 - 06:29
User Badges:

Well, I downloaded open SSL and im ready to send in my CSR. I'm getting ready to do that. I want to make sure I have the right answers in front of me so I don't void the cert.

Scott Fella Wed, 04/29/2009 - 06:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

The CN is the most important part of that... don't fat finger it!

Actions

This Discussion

 

 

Trending Topics - Security & Network