certificate in WLC

Unanswered Question
Aug 25th, 2010

Hi All,

There're some different kind of certificates in the WLC, I'm a bit confused. Is there any document give them a summarization? For example, can some of the certs share the same cert?

1. HTTPS has a SSL cert(CN=169.254.1.1)

2. Web-Auth has a SSL cert(CN=1.1.1.1)

3.  LSC (X.509 cert)

4. IPSec CA cert

5. IPSec ID Cert

I guess 1 and 2 can share the same SSL cert, however I don't know what the CN should be looked like when generate CSR to CA(Web-Auth should use virtual gw IP, HTTPS should use management IP).

Thanks for any input!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
BRYN JONES Wed, 09/01/2010 - 07:02

Hi

We retain the Cisco certificate for use on the HTTPS admin interface.

We install a 3rd party cert for use on our web authentication:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

We haev the 3rd party cert tied to a hostname, which resolves to 1.1.1.1 currently, as as and when someone eventually uses 1.1.1.1 as a publically routable address, we can just to a quick DNS change and we will be unaffected.

bbxie Wed, 09/01/2010 - 16:28

Thanks for the info, my friend!

From our field engineer's feedback, the HTTPS cert for admin and the Web-Auth cert can share the same SSL cert, the condition is that to create a record in the local DNS server, in this record, one DNS name maps to two IP addresses(Virtual Gateway IP and WLC Management IP), then use this DNS name as CN to generate the SSL cert. Currently there's no bug or potential risk found. Everything works fine.

For all the other 3 kind of certs, it seems can't share. LSC is for regenerating AP/WLC X.509 cert(mutual auth during join process), never tested it, don't know how it behaves.  IPSec cert seems can be used in:

1.  Radius connection(not tested, don't know which Radius server can support IPSec)

2. Secure Mobility(UDP 16667)

3. VPN termination in WLAN profile(it seems only very old versions support it, 4.0, etc)

Anyway, it seems a lot of certs needed, customers are not happy for it since they have to pay more money

Actions

This Discussion

 

 

Trending Topics - Security & Network