cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7232
Views
5
Helpful
12
Replies

download cert to the controller

Starthorn
Level 1
Level 1

I hae TFTP32 up pointing at C: & im following this to download my Cert file into my 4404 controller :

>transfer download mode tftp

>transfer download datatype webauthcert

>transfer download serverip <TFTP server IP address>

>transfer download path <absolute TFTP server path to the update file>

>transfer download filename final.pem

>transfer download certpassword password

When i type transfer download start it gives me my stats:

Mode............................................. TFTP

Data Type........................................ Site Cert

TFTP Server IP................................... 172.16.1.130

TFTP Packet Timeout.............................. 6

TFTP Max Retries................................. 10

TFTP Path........................................ C:/

TFTP Filename.................................... mycert.pfx

I tell it yes but then it gives me the error: % Error: Web Authentication Certificate file transfer failed - Error from server: File not found

anyone know what I'm doing wrong?

12 Replies 12

Lucien Avramov
Level 10
Level 10

The tftp path is not C:/ but try: \

TFTP Path........................................ \/

this is what I have now. I get the error message: % Error: Web Authentication Certificate file transfer failed - Error from server: Access violation

I have the debug mode on. This is what it said

*Jul 06 16:02:53.494: Still waiting! Status = 2

*Jul 06 16:02:54.616: Locking tftp semaphore, pHost=172.16.1.130 pFilename=\/mycert.pfx

*Jul 06 16:02:54.617: Semaphore locked, now unlocking, pHost=172.16.1.130 pFilename=\/mycert.pfx

*Jul 06 16:02:54.617: Semaphore successfully unlocked, pHost=172.16.1.130 pFilename=\/mycert.pfx

*Jul 06 16:02:54.619: TFTP: Binding to local=0.0.0.0 remote=172.16.1.130

*Jul 06 16:02:54.623: tftp rc=1, pHost=172.16.1.130 pFilename=\/mycert.pfx

pLocalFilename=cert.p12

*Jul 06 16:02:54.624: RESULT_STRING: % Error: Web Authentication Certificate file transfer failed - Error from server: Access violation

*Jul 06 16:02:54.624: RESULT_CODE:12

*Jul 06 16:02:54.624: ummounting: cwd = /mnt/application

*Jul 06 16:02:54.658: finished umounting

% Error: Web Authentication Certificate file transfer failed - Error from server: Access violation

Oups, for TFTP its /

that worked better but its still not totally working. It now gives me

Error installing certificate.

I looked at the debug and this looks the most fishy

*Jul 06 16:15:18.869: sshpmDecodePrivateKey: private key decode failed...

*Jul 06 16:15:18.869: sshpmAddWebauthCert: key extraction failed.

*Jul 06 16:15:18.869: RESULT_STRING: Error installing certificate.

I'm copying and pasting the key/password from a text file. The same text file I copied and pasted from when I did my CSR. It can't be wrong.

Did you follow :

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

You have to combine the key and the cert into one file.

Also what code of controller are you running ?

Also, I don't think WLC does not have the functionality to proxy communication of a chain certificate with a root certificate authority server. In order to host a chain certificate you must be a root certificate authority server and not a chain certificate.

I have the lastest version of WLC and I did read that doc. When I tried to combined the files it gave me an error about the passwords again. Do you know if there are any characters that are not allowed to be used in the password?

After that doc not working for me we contacted the CA and they gave us steps to make the cert file with IIS. They never said how to get the cert on the controller so I went back to that document.

The password should match the one that was used to generate the cert (-passout value in openssl). I have not see issues with using a special character password.

Also your file is pfx, most of the time we see .pem files. My guess is that is used by IIS.

If you are using a third party cert, you should use : webadmincert instead of webauthcert :

>transfer download datatype webadmincert

whats the difference between the two? I thought the webadmin would cert the logging in of the admin to configure the controller. I'm wanting it for webauth.

Im looking in my controller Via the HTML interface. under Security, webauth, certificate you can enter almost the same information. Is this another way of doing it?

I did use IIS BTW.

Convert the certificate from .pfx to .pem format using open ssl. WLC is not supporting .pfx cert format.

jicr can you write the specific command I need to type into open SSL to convert the file

pkcs12 -in MYCERTS.pfx -out MYCERTS.pem

this is what I get

Enter Import Password:

Mac verify error: invalid password?

error in pkcs12

which password is it looking for? The one I made during my CSR ? The one I had to type into the verisign website to get them to send me the cert or the one I used to export the cert in IIS. In each case I used the same password.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: