jeensernchew Thu, 05/13/2010 - 04:50

Hi Nael, thanks for your previous reply.

I tried that guide that you gave me but have issues with tyring to upload the cert to the WLC. It gets the cert fine from the TFTP server but always ends up with "error installing certificate". My cert is from Verisign and I was given both in PKCS#7 and X509 format. On that guide I followed the link to chained certificates as the cert I got needs an Intermediate and CA cert.

Is it right to use the X509 cert in openssl? PKCS#7 throws an error in openssl.

I can't figure out why the WLC keeps coming up with the error. The hostnames are right. No problem with the private key password. Time of the WLC is right.

jeensernchew Thu, 05/13/2010 - 17:39

I tried turning on debug and this is what I got.

TFTP Webadmin cert transfer starting.
*May 14 10:16:32.644: sshpmDecodePrivateKey: private key decode failed...

*May 14 10:16:32.644: sshpmAddWebadminCert: key extraction failed.

Error installing certificate.

In this guide,,

openssl>pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:check123 -passout pass:check123

I am assuming this command binds the cert signed by the CA and my private key and export it to a PKCS12 format?

openssl>pkcs12 -in All-certs.p12 -out final-cert.pem -passin pass:check123 -passout pass:check123

Then this one converts PKCS12 into PEM format for the WLC?

I did get a chained certificate from Verisign so I have followed the chained guide and added the Intermediate and CA certificate before binding it to the key.

I then followed this guide "Determine if your public key and private keys match using OpenSSL" and both they modulus match.

Nael Mohammad Thu, 05/13/2010 - 19:49

What happens when you try to added from the controller itself ?

1. Login to WLC

2. Go to Security --> Advanceced --> IP Sec Certificates ---> CA Certificates

3. Paste the certificate in ASCII text in to the box on that page and Apply .

If it fails, post a screenshot along with the WLC version you are running.  I will try to recreate it in our lab.

jeensernchew Thu, 05/13/2010 - 22:32

Hi Nael,

Thanks for your reply.

2. Go to Security --> Advanceced --> IP Sec Certificates ---> CA Certificates, do you mean ID Certificate? I can upload the CA certificate using that method, downloading from TFTP using Web Gui and downloading from TFTP using CLI fine. The only problem is I can't download the deivce certificate. I tried going to ID certificate and paste it, I did not get a screen shot because it is just an error message "Error in creating certificate" just like the other methods I used stated in previous post.

Do I have the wrong format of device cert? I tried using X509 both chained(CA and Intermediate CA added) and unchained.

As the WLC can't generate its own CSR, I have followed the guide from Cisco and used OpenSSL to create the CSR and then bind the private key to the certificate that has been signed by the CA(Verisign).

In another scenario, I used OpenSSL to create a CSR for WCS too. WCS can generate its own CSR using keyadmin but does not support certain feature, so I ended up using OpenSSL. Keyadmin can bind the signed certificate by CA together with the private key. I used keyadmin and it works find with WCS. That can safely isolate that the problem is cause by the certificate from Verisign.

stewart.lear Tue, 06/08/2010 - 02:32

I am also having exactly the same issue with a certificate from Thawte.  I followed the unchained guide and have tried both with and without a password in the initial step key generation step, requesting a new cert each time. As with Jeensernchew's issue there are no errors in OpenSSL but when uploading the cert to the WLC get the following error.

*Jun 04 10:51:07.789: sshpmAddWebauthCert: extractingprivate key from webauth cert; pwd: .

*Jun 04 10:51:07.793: sshpmDecodePrivateKey: private keydecode failed...

*Jun 04 10:51:07.793: sshpmAddWebauthCert: key extractionfailed.

The WLC is running version  I am using OpenSSL 1.0.0 29 Mar 2010.

When I requested the cert from Thawte I was asked to specify the device type, I chose Cisco, but as all the work and conversion is being done by OpenSSL, should I have chosen differently?

WaynePlotkin Wed, 06/09/2010 - 08:45

I had a similar problem and this is what I found fixed it.

  1. The OpenSSL versions available from do not create a final.pem that work with the wireless controller.
  2. I downloaded OpenSSL using this link and installed into C:\OpenSSL (It tries to install to program files, install location doesn't matter I just like it on the root of C)
  3. I then followed all of the steps outline on
  4. Uploaded the final.pem file and it install without any problems.
  5. My Cert was purchased from RapidSSL I don't know if that matters or not.

This was a renewal cert, so it was my second time install a cert to my wireless controller and I made the mistake of not keeping my original copy of OpenSSL that worked for me the first time.

stewart.lear Wed, 06/09/2010 - 10:23

Thank you for your advice.

I have done some playing around and have found the solution to my problem, hopefully it will help the others as well.

The issue seems to be the format of the final PEM file being uploaded.

The controller seems to be expecting a file in the following format..


Device cert



Intermediate cert



Root Cert



Proc-Type: 4,ENCRYPTED



But the version of OpenSSL I was using ended up in this format....

Bag Attributes


Device Cert


Bag Attributes:


Intermediate Cert


Bag Attributes:


Root Cert


Bag Attributes


Private key


So using the command OpenSSL>rsa -in mykey.pem -des3 -out keyout.pem

I encrypted the private key using Triple DES, it prompted for a passphrase.

I did not then run the pkcs12 commands, but combined the certs and key myself.

Creating a new file in notepad I pasted the X509 certs from Thawte, followed by the contents of keyout.pem in the format..


Device cert



Intermediate cert



Root Cert



Proc-Type: 4,ENCRYPTED



I saved the file as final.pem

Setting the certpassword parameter as the pass phrase used in the DES3 encryption.

The upload then worked as expected.

I'm guessing the issue is down to a different version of OpenSSL being used.

Hopefully this will work for others as well.

Josh Lowe Thu, 07/29/2010 - 13:16

Stewar Lear, you sir, are a genius!  I spent the better part of an afternoon trying to get my WLC to accept my certificate following every document I could find from Cisco.  I finally found your post, generated the RSA key and created the PEM file manually.  When I (successfully!) uploaded it and reloaded my WLC everything worked as expected!

Thanks for saving my sanity!
Tim Schneider Fri, 02/01/2013 - 03:21

Stewar Lear, you are a god among men.

After days of fighting with this piece of... magnificient, nontelling error messages and dealing with more .cers and .pems I will ever again, it finally worked. I had to -rsa the mykey.pem and copypasta my own final.pem.

Figures the problem was, that the key wasn't really encrypted which the WLC DEMANDS IT TO BE BUT IS NOWHERE MENTIONED IN THE OUTDATED GUIDE.

And 2nd OpenSSL 1.0 added stuff like

Bag Attributes

    localKeyID: 2D C6 A6 C9 3E 77 D5 D6 74 40 9B F8 12 0D F2 E8 9F 45 05 99



before and inbetween the Certificate and Key in the final.pem, which is clearly no valid .pem format for the nitpicky WLC.

So thanks again!!!

Marcel Verbrugg... Fri, 05/24/2013 - 03:30

You are a genius indeed. I was also struggling for the best part of a day to get this to work.

Your method worked like a charm.

It really helps to know that the WLC is really picky about the pem format it accepts.

sayrmatics Fri, 06/18/2010 - 08:08


verisign stopped issuing unchained certificates since 2006 and irrespective of which of the cisco procedures for generating csrs you follow (chained or unchained, which are the same btw) you will receive the same certificate from verisign. i had problems with my verisign certificates on 5508 controllers too earlier but that is all fixed now. here is how i went about it:

1. i downloaded openssl, generated the csr and submitted to verisign.

2. i copied the digital certificate from verisign in x509 format.

3. i downloaded the root CA certs and intermediate cert files from verisign for the type of certificate we ordered (secure server g2)

4. i combined the files as per cisco instruction and converted to .pem using openssl.

5. i downloaded the cert file to the wlc via cli and reset the controllers.

you can post the results of the following debugs for more descriptive leads:

debug packet error enable

debug transfer all


jeensernchew Thu, 07/29/2010 - 16:52

Hey guys,

After troubleshooting this with a TAC, we found out that Chained Certificates is not supported on the WLC till today. Not even on the latest version 7.0. I think I managed to upload the chained certificate successfully once but it still wouldn't work. It is a bug and still hasn't been resolved for Chained Certificates.

ronaking Wed, 10/06/2010 - 09:22

up to Level 2 Chained certificates are supported on WLCs running 5..1.151.0 or later code

Certificate Levels

  • Level 0—Use of only a server certificate on WLC.

  • Level 1—Use of server certificate on WLC and a CA root           certificate.

  • Level 2—Use of server certificate on WLC, one single CA intermediate           certificate, and a CA root certificate.

  • Level 3—Use of server certificate on WLC, two CA intermediate           certificates, and a CA root certificate. Level 3 or higher is not supported on           WLCs.

Changes have been made in openssl version 1.0.x which is not backwards compatible with previous versions of openssl.

So if you are using openssl version 1.0.x to create the final-cert.pem, this will not be supported with the WLC.

If you use openssl version 0.9.8, then you will be able to build the final-cert.pem and be able to load it on the WLC.

The following product enhancement request (PER) has been created for the WLC. - Need Support for certificates generated using OpenSSL v 1.0


This Discussion

Related Content



Trending Topics - Security & Network