we've got an anchor controller inside a DMZ. the standart GW for the clients is the virtual interface (in this case 220.127.116.11). because it's a https-site the clients have to accept the certificate manually (we all know this problems..).
I work with the internal DHCP scope and also give them some DNS servers from the Internet.
any idea how to get this certificate installed? I've read that the virtual IP (18.104.22.168) got to have a DNS entry (in this case on the internet DNS). That's pretty bad, because we have several anchors in several countrys, all working with 22.214.171.124. And also, is this virtual IP reachable from the internet to perform a DNS-lookup?
Would be great if someone has an idea or already made some experiences.
The reason the Virtual Interface needs an IP address is because a certificate can't be issued to an IP Address, it's issued to the FQDN. I have a client that is international where I set this up and I had to get their external DNS host (since they didn't have a DNS server in their DMZ) to add a host entry for each of the controllers. for example: WiSM1a.someplace.com was pointed to 126.96.36.199, WiSM1b.someplace.com was pointed to 188.8.131.52, etc.. you get the general idea. Then you need to take the actual device certificate, and the intermediate chain certificate and combine them into the WLC's required Certificate Package. This issue is alot easier to resolve if you have a DNS server in your DMZ that you control.
Hope this helps.. Please rate useful posts.