Solved: WLC 5508 - Importing SSL certificate - Page 2

msingh2007 · ‎08-21-2013

I have a Cisco Wireless LAN Controller 5508, which uses 7.3.112.0. I have the VeriSign certificate but I received two intermediate files (primary and secondary), and my question is, which one do I use?

I have referred to this document from Cisco already and found no information on there:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

Thanks!

msingh2007 · ‎08-22-2013

Thanks for your help Scott. I will give it a go and let you know. I assume these are all in X.509 format, correct?

Scott Fella · ‎08-22-2013

Yes it should be.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

msingh2007 · ‎08-22-2013

I tried this site:

http://www.my80211.com/cisco-wlc-cli-commands/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

It is really informative and follows the same steps as what you had recommended. But I ran into a block. I put all of the certs in one txt file and then simply renamed the file to All-certs.pem file and when I ran the pkcs command in OpenSSL 0.9.8, I get the following error message:

OpenSSL> pkcs12 -export -in C:\Certificates\All-certs.pem -inkey C:\Certificates\mykey.pem -out C:\Certificates\All-certs.p12 -clcerts -passin pass:cert2 -passout pass:cert2

Loading 'screen' into random state - done

unable to load private key

error in pkcs12

Any clue what I did wrong?

Scott Fella · ‎08-22-2013

Well if you followed it step by step, you should have a private key and that key should also be in the directory you are executing the command from. The private key was generated when you created the CSR. So you need that private key.... every time you generate a new CSR, that private key will change. If you don't have it, well you will have to generate a new CSR and run through all the commands again.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

msingh2007 · ‎08-22-2013

I'm actually trying it out with a SSL certificate we are already using on another server to see if it will work. The pass is 100% correct. The file mykey.pem only contains the password and I manually put it in there. Now I think maybe because I manually saved the mykey.pem file with just the password, that is is why it is failing?

Abhishek Abhishek · ‎08-22-2013

Support for Chained Certificate

In controller versions earlier than 5.1.151.0, web authentication certificates can be only device certificates and should not contain the CA roots chained to the device certificate (no chained certificates).

With controller version 5.1.151.0 and later, the controller allows for the device certificate to be downloaded as a chained certificate for web authentication.

Certificate Levels

Level 0—Use of only a server certificate on WLC.

Level 1—Use of server certificate on WLC and a CA root certificate.

Level 2—Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.

Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.

WLC does not support chained certificates more than 10KB size on the WLC. However, this restriction has been removed in WLC 7.0.230.0 and later releases.

For more information please refer to the link-

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

msingh2007 · ‎08-22-2013

Thanks for your feedback but Scott already helped me with this.

Scott Fella · ‎08-22-2013

So did you get the pem file uploaded?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

msingh2007 · ‎08-22-2013

What I did was I combined all the x.509 certificates into one text file then simply changed the file extension to PEM from TXT. Then I created a new mykey.pem file with just the password of cert12. So both of these two files is in the same folder where I called it from. It sees the files but gives me the error message:

Loading 'screen' into random state - done

unable to load private key

error in pkcs12

So I think the mykey.pem file must be in a wrong format as it just contains one word, which is cert12. What do you think?

Scott Fella · ‎08-22-2013

Your private key must be corrupt. How many times did you create a CSR? The CSR that you pasted into the certificate vendors website, is the private key you need to make sure you use.... also are you using OpenSSL v9.8?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***