Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Web Auth Certificate Download - Failed to install certificate

I'm trying to install a wilcard pfx certificate on a 2504 WLC for the Web Authentication page.  I followed the instructions from the following posts.  I'm using openssl 0.9.8.zb couldn't find anything earlier, but also not the same error message these two posts were getting. 

 

https://supportforums.cisco.com/discussion/11721616/install-godaddy-wildcard-ssl-wlc-2504-conroller

https://supportforums.cisco.com/discussion/11668556/web-auth-cert-download

which says to use the command openssl pkcs12 -in myssl.pfx -out mynewssl.pem -passin pass:mypassword -passout pass:mypassword

did this and it uploads to my WLC but fails to install.

 

*TransferTask: Sep 04 19:23:52.906: #UPDATE-3-CERT_INST_FAIL: updcode.c:2140 Failed to install certificate. rc = 2
*sshpmReceiveTask: Sep 04 19:23:48.793: #OSAPI-3-MUTEX_FREE_INFO: osapi_sem.c:1086 Sema 0x2b32cd58 time=271 ulk=808 lk=537 Locker(sshpmReceiveTask sshpmrecv.c:1840 pc=0x10ca2368) unLocker(sshpmReceiveTask sshpmReceiveTaskEntry:1825 pc=0x10ca2368)

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi Michael, Thanks for your

Hi Michael,

 

Thanks for your response and explanation, as it will be help others in installing the cert on WLC. I am glad to know that everything is working fine.

Regards

Salma

8 REPLIES
Cisco Employee

Hi Michael, If you are

Hi Michael,

 

If you are running 7.6.100.0, you will face this issue while installing 3rd party certificate.

As 7.6.x installs self signed certificate or full chained certificates. I see that there is a bug 

https://tools.cisco.com/bugsearch/bug/CSCuo74691/?reffering_site=dumpcr

Regards

Salma

New Member

Thanks, this pointed me in

Thanks, this pointed me in the right direction.  The problem was the pfx cert I exported wasn't the full chained certificate.  When looking at the pem file I had created it was only

-----BEGIN RSA PRIVATE KEY-----

Private Key

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

Device Cert

-----END CERTIFICATE-----

For other users who may encounter this issue:

I had exported this wildcard certificate from another server through IIS.  Instead I had to view the certificate, copy to file, export the private key, include all certificates.  Now I was able to use that same command and my new pem was the following format which worked.  I was able to install this cert then publish a public DNS record to translate 1.1.1.1 to a url I placed in the virtual interface's DNS Host Name field.

-----BEGIN RSA PRIVATE KEY-----

Private Key

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

Device Cert

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Intermediate Cert

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Root Cert

-----END CERTIFICATE-----

Cisco Employee

Hi Michael, Thanks for your

Hi Michael,

 

Thanks for your response and explanation, as it will be help others in installing the cert on WLC. I am glad to know that everything is working fine.

Regards

Salma

New Member

Hello all, I'm having the

Hello all,

 

I'm having the same problem, but in version 8.0.110.0 (latest stable).

After try to install the certificate, is returning this log output: *TransferTask: Jan 29 10:30:14.337: #UPDATE-3-CERT_INST_FAIL: [PA] updcode.c:2554 Failed to install certificate. rc = 2

 

The certificate is in .pem extension, and was generated on last week by GlobalSign. I have the password, that is correct. The certificate was generated to full address that is configured in the virtual interface.

 

Anyone have idea how can I fix this issue?

Thanks!

Hall of Fame Super Silver

When you generated the CSR,

When you generated the CSR, what did you use.  OpenSSL v9.8 is what you should use in case you used v1.0.

-Scott

-Scott
*** Please rate helpful posts ***
New Member

Hello Scott, Thanks for your

Hello Scott,

 

Thanks for your attention.

The file was generated using OpenSSL 0.9.8k 25 Mar 2009, under the command below:

 

openssl pkcs12 -in CEPO1501269401.pfx -out wifi.mydomain.com.pem

 

At the "DNS Host Name" field, in virtual interface (1.1.1.1) I have the domain wifi.mydomain.com configured.

 

Regards,

-Urik

Hall of Fame Super Silver

Urik,Typically when a cert

Urik,

Typically when a cert fails during the transfer, it's either a bad pem file or the password.  Why not create a new CSR and have them replace the cert they gave you.  I have had to do this a few times due to fat fingering the password:)

-Scott

-Scott
*** Please rate helpful posts ***
New Member

Hello Scott, You're was right

Hello Scott,

 

You're was right. The problem was with the certificate.

To solve the problem I followed this URL: http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html

 

Thanks all!

3684
Views
8
Helpful
8
Replies
CreatePlease login to create content