cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1300
Views
5
Helpful
12
Replies

applying ssl certificates to the 4404 controller

Starthorn
Level 1
Level 1

How is this done? We bought a certificate file and have 2 4404 controllers.

Where do I go to apply this and how do I apply this?

Also will my single cert work for 2 controllers?

12 Replies 12

Scott Fella
Hall of Fame
Hall of Fame

Is this cert for guest or for management. If it is for guest, then you can use it on multiple wlc, if it is for management, then no. The reason is that when you generated the CSR, you specified a CN which you will resolve via DNS. For management, you have different ip address for management, so you will need one per wlc. For guest webauth, you use the VIP to resovle the CN so you can use that on multiple wlc's.

To install the cert for management, you would click on the management tab on the wlc and then on HTTP and check Download SSL Certificate, enter the info and hit apply.

To install the cert for webauth, you would click on Security tab, then Web Auth then certificate.Fill in the info and hit enter.

Hope this helps.

-Scott
*** Please rate helpful posts ***

When you say Guest and Management do you mean an interface or do you mean a type of cert?

Same for Guest..I know you can make local accounts on the controllers that are called guest accounts.

Here is what we are trying to do. When students connect to the student SSID and open up a web page they are directed to web page to login (webauth) with LDAP User name and pass. Before they get to the webaut page their computer tells them that we don't have a cert and asks if they should trust the web page etc. We don't want this

Then you need to generate and load an ssl cert for webauth. I use RapidSSL since they give you a root ca certificate and not a chained cert.... soo much eaiser. Also chained is only supported on the 5.1.151.0 and later code. You need to generate a CSR by following this link. Again, get a RappidSSL cert and also you will need to download Open SSL to generate the CSR. Then upload that to your WLC. The CN name you will have to resolve in DNS to get rid of that error.

On the WLC, you need to enter that DNS CN in the VIP interface. There is a spot for you to put that in. You will need to reboot your wlc after you add the CN to the VIP interface in order for it to take place.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

Win32 OpenSSL:

http://www.slproweb.com/download/Win32OpenSSL_Light-0_9_8k.exe

-Scott
*** Please rate helpful posts ***

We already have one from VeriSign. We already downloaded the cert file.

So would this go under the security heading or the managment heading?

VeriSign is a chained cert, so you need 5.1.151 code on the WLC. You would go under the Security tab and then there is a WebAuth tab on the left side. Check the box and fill out the info and hit apply. You will need to reboot the wlc and don't forget to add the CN to the VIP interface.

-Scott
*** Please rate helpful posts ***

Thanks for all the help. I have another question though.

Can we use a private IP like 172.16.1.2 for the Cert or does it have to be external ip ?

You can use a private ip, but the VIP should not be on any subnet you are using on your network. What ever the clients are using as a dns obtained from dhcp, you will need that dns server to resolve that ip address.

-Scott
*** Please rate helpful posts ***

Thanks Fella ... i didnt know that about the man. cert !

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

No problem.... so did you get it working?

-Scott
*** Please rate helpful posts ***

Well, I downloaded open SSL and im ready to send in my CSR. I'm getting ready to do that. I want to make sure I have the right answers in front of me so I don't void the cert.

The CN is the most important part of that... don't fat finger it!

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: