[Q] How do you generate and install a signed SSL certificate for management of a Cisco 5508 WLC?

Answered Question
Mar 10th, 2011

Our Security Policy requires all web admin pages to be signed by our corporate Certificate Authority. I have successfully implemented a 3rd party SSL certificate for the Web Auth of our Guest WLAN but I need to install a signed certificate for the Management of the WLC itself. I have followed the instrctions here:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

but this was more useful for Web Auth. I cant find a specific document explaining how it should be done for the Management interface.

Any help greatly appreciated.

I have this problem too.
0 votes
Correct Answer by Nicolas Darchis about 3 years 1 month ago

1) Please use a password. Blank passwords regularly give problems.

2) You didn't recombine the key with certificate before uploading to the WLC :

  • Combine the CA.pem certificate with the private key, and then             convert the file to a .pem file.

    Issue this command in the OpenSSL application:

    openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts 
    -passin pass:check123 -passout pass:check123


    !--- This command should be on one line.

    openssl>pkcs12 -in CA.p12 -out final.pem -passin pass:check123 -passout pass:check123

    Note: In this command, you must enter a password for the parameters                 -passin and                 -passout . The password that is                 configured for the -passout parameter must match the                 certpassword parameter that is                 configured on the WLC. In this example, the password that is configured for                 both the -passin and                 -passout parameters is                 check123. Step 4 of the procedure in the Download the Third-Party Certificate to the WLC section                 of this document discusses the configuration of the                 certpassword parameter.

    The final.pem is             the file that is transferred via TFTP to the Cisco WLC.

    Now that you have the certificate from the third-party CA, you need             to download the certificate to the WLC.

    • 1
    • 2
    • 3
    • 4
    • 5
    Average Rating: 4.5 (2 ratings)
    Nicolas Darchis Thu, 03/10/2011 - 22:35

    "management" menu on the WLC GUI.

    => HTTP

    at the bottom of the page you have "download SSL certificate". That's how you download it.

    Note that unfortunately, chained certificates are still not supported for the management interface. so your clients will have to trust the issuer of the wlc management cert directly, no intermediates allowed.

    From there, it should be a simple creation of a certificate for role "web server".

    Nicolas

    pmchandler Fri, 03/11/2011 - 03:57

    Thanks Nicolas,

    Here are the exact steps I took to complete this process. I dont have step-bystep instructions for the actual certificate signing part using Microsoft Certificare Services but I can supply those if needed. As you can say, once the certificate is generated, signed and then TFTP'd onto the box, it says File Transfer Failed. I know the file physically transferred successfully as the logs on my TFTP server hosting the signed cert show the file transfer was successful. Can you see what might be going wrong?

    ===Generate a CSR using OpenSSL===

    1. Install OpenSSL from here:

    http://downloads.sourceforge.net/project/gnuwin32/openssl/0.9.8h-1/openssl-0.9.8h-1-setup.exe?use_mirror=voxel

    2. Open a command prompt and go to C:\openssl\bin and execute openssl.exe

    C:\>cd openssl

    C:\OpenSSL>cd bin

    C:\OpenSSL\bin>openssl

    3. Generate a 1024 bit CSR (For Web Auth, it must be 2048 if requiring an Extended Validation certificate)

    OpenSSL> req -new -newkey rsa:1024 -nodes -keyout wlc-key.pem -out wlc-csr.pem

    Loading 'screen' into random state - done

    Generating a 2048 bit RSA private key

    ..................+++

    ................................................................+++

    writing new private key to 'wlc-key.pem'

    -----

    You are about to be asked to enter information that will be incorporated

    into your certificate request.

    What you are about to enter is what is called a Distinguished Name or a DN.

    There are quite a few fields but you can leave some blank

    For some fields there will be a default value,

    If you enter '.', the field will be left blank.

    -----

    Country Name (2 letter code) [AU]:GB

    State or Province Name (full name) [Some-State]:State

    Locality Name (eg, city) []:City

    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company

    Organizational Unit Name (eg, section) []:Department

    Common Name (eg, YOUR name) []:wlc

    Email Address []:email@address.com


    Please enter the following 'extra' attributes

    to be sent with your certificate request

    A challenge password []:

    An optional company name []:

    OpenSSL>

    You will now have one csr file and one key file generated in the C:\openssl\bin directory:

    wlc-csr.pem

    wlc-key.pem

    ===Sign the CSR file using your Corporate CA===

    At this point, we sent it to our Microsoft Certificate Services administrator who signed the certificate using the standard Web Server certificate template and reterned a wlc-signed.cer certificate file.

    ===Upload Signed Certificate to WLC===

    Place certificate in a TFTP accessible location

    Go to WLC > Management > HTTP

    On the HTTP Configuration page, check the Download SSL Certificate check box

    In the Server IP Address field, enter the IP address of the TFTP server.

    In the Maximum Retries field, enter the maximum number of times that the TFTP server attempts to download the certificate e.g. 10

    In the Timeout field, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate e.g. 6

    In the Certificate File Path field, enter the directory path of the certificate. If the path is in the root of the TFTP server folder then enter /

    In the Certificate File Name field, enter the name of the certificate (wlc-signed.cer).

    (Optional) In the Certificate Password field, enter a password to encrypt the certificate. - I left this blank

    Click Apply to commit your changes.

    A pop up will appear saying "Are you sure you want to download Certificates from the specified Server?". Click OK

    At the bottom of the screen it says "File transfer operation started"

    After a few seconds, it then says "File transfer failed!"

    --- I did not get to complete the remaining instructions due to transfer failure ----

    Click Save Configuration to save your changes.

    To reboot the controller for your changes to take effect, choose Commands > Reboot > Reboot > Save and Reboot.

    Correct Answer
    Nicolas Darchis Fri, 03/11/2011 - 04:08

    1) Please use a password. Blank passwords regularly give problems.

    2) You didn't recombine the key with certificate before uploading to the WLC :

  • Combine the CA.pem certificate with the private key, and then             convert the file to a .pem file.

    Issue this command in the OpenSSL application:

    openssl>pkcs12 -export -in CA.pem -inkey mykey.pem -out CA.p12 -clcerts 
    -passin pass:check123 -passout pass:check123


    !--- This command should be on one line.

    openssl>pkcs12 -in CA.p12 -out final.pem -passin pass:check123 -passout pass:check123

    Note: In this command, you must enter a password for the parameters                 -passin and                 -passout . The password that is                 configured for the -passout parameter must match the                 certpassword parameter that is                 configured on the WLC. In this example, the password that is configured for                 both the -passin and                 -passout parameters is                 check123. Step 4 of the procedure in the Download the Third-Party Certificate to the WLC section                 of this document discusses the configuration of the                 certpassword parameter.

    The final.pem is             the file that is transferred via TFTP to the Cisco WLC.

    Now that you have the certificate from the third-party CA, you need             to download the certificate to the WLC.

    pmchandler Fri, 03/11/2011 - 05:58

    Thanks Nicolas, that worked. I cant believe I forgot the steps to combine the private key with the signed certificate! I did do all this previously for the Web Auth certificate without problem, just forgot about this part on this occasion.

    For info, I did not enter a challenge password so it is ok to leave that blank but when converting to a PEM file, the -passout parameter must be filled in and specified as the Certificate Password on the Management > HTTP Configuration page.

    Thanks again.

    Actions

    Login or Register to take actions

    This Discussion

    Posted March 10, 2011 at 11:10 AM
    Stats:
    Replies:5 Avg. Rating:4.5
    Views:5181 Votes:0
    Shares:0
    Tags: ssl, csr, wlc_5508
    +

    Related Content

    Discussions Leaderboard