Thanks Scott.  That's helpful!  Now I know what to do

I spoke to VeriSign and they don't know anything about these Certificate Levels.  Are there are any CAs out there that still give out one intermediate certificate that would work with the Cisco WLCs?

Nope... after I think in July 2010, all vendors migrated to a 2048 root CA which made all certs chained.  They will no longer issue unchained certificates as that was a standard when they were using 1024.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Thanks Scott.  So what does someone like me do who needs to use a SSL cert but can't install one because of this change?

Is there a way for me to use only one of the two intermediate certificates?

Nope.... you need to combine all the intermediates along with the device cert and the root.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Sorry if I sound stupid but in your previous replies, you sent a link with this following information in it:

Level 3 or higher is not supported

Level 3 - use of server certificate on WLC, two CA intermediate certificates and a CA Root Certificate.

So if I combine all the certificates as follows:

−−−−−−BEGIN CERTIFICATE−−−−−−
*Device cert*
−−−−−−END CERTIFICATE−−−−−−
−−−−−−BEGIN CERTIFICATE−−−−−−
*Intermediate CA primary cert *
−−−−−−END CERTIFICATE−−−−−−−−

−−−−−−BEGIN CERTIFICATE−−−−−−
*Intermediate CA secondary cert *
−−−−−−END CERTIFICATE−−−−−−−−

−−−−−−BEGIN CERTIFICATE−−−−−−

*Root CA cert *
−−−−−−END CERTIFICATE−−−−−−

It will work?  Do all of these certs need to be in X.509 format?

Thanks!

That is a chained certificate.... if your looking at using a cert for management, you need an unchained cert, which is typically one intermediate.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

I need a cert for the users on the guest WLAN network as I want to set it up using the Web Authentication.  I don't need to install a certificate for management purposes.  Any tips or guidelines you can provide?

Okay... so for webauth, you need to reference the guide I posted earlier.  Then request a general ssl cert from whomever.  You will get a device cert and a few intermediate certificates in which you will have to either export the root from the device cert or ask them to send you the root cert also.  Then you bundle them up using OpennSSL Light v9.8.... I think v1.0 works, but better safe than sorry.  Once you combine the cert, you upload that to the WLC and on the VIP interface you set the DNS hostname which is the FQDN of the cert.  Make sure DNS the guest will use can resolve the FQDN to the VIP.  Thats it.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

The guide you posted doesn't say that two intermediates are supported.  It says that two intermediates are not supported.  So how would this work if they are not supported and I still combine them?

It's a level 2 cert: 

Certificate Levels

• Level 0—Use of only a server certificate on WLC.
• Level 1—Use of server certificate on WLC and a CA root certificate.
• Level 2—Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.
• Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.

So it would look like this:

------BEGIN CERTIFICATE------
*Device cert*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------ *Root CA cert * ------END CERTIFICATE------

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"