08-21-2013 12:35 PM - edited 07-04-2021 12:41 AM
I have a Cisco Wireless LAN Controller 5508, which uses 7.3.112.0. I have the VeriSign certificate but I received two intermediate files (primary and secondary), and my question is, which one do I use?
I have referred to this document from Cisco already and found no information on there:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
Thanks!
Solved! Go to Solution.
08-22-2013 09:45 AM
Thanks for your help Scott. I will give it a go and let you know. I assume these are all in X.509 format, correct?
08-22-2013 12:25 PM
Yes it should be.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
08-22-2013 12:39 PM
I tried this site:
It is really informative and follows the same steps as what you had recommended. But I ran into a block. I put all of the certs in one txt file and then simply renamed the file to All-certs.pem file and when I ran the pkcs command in OpenSSL 0.9.8, I get the following error message:
OpenSSL> pkcs12 -export -in C:\Certificates\All-certs.pem -inkey C:\Certificates\mykey.pem -out C:\Certificates\All-certs.p12 -clcerts -passin pass:cert2 -passout pass:cert2
Loading 'screen' into random state - done
unable to load private key
error in pkcs12
Any clue what I did wrong?
08-22-2013 12:43 PM
Well if you followed it step by step, you should have a private key and that key should also be in the directory you are executing the command from. The private key was generated when you created the CSR. So you need that private key.... every time you generate a new CSR, that private key will change. If you don't have it, well you will have to generate a new CSR and run through all the commands again.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
08-22-2013 12:46 PM
I'm actually trying it out with a SSL certificate we are already using on another server to see if it will work. The pass is 100% correct. The file mykey.pem only contains the password and I manually put it in there. Now I think maybe because I manually saved the mykey.pem file with just the password, that is is why it is failing?
08-22-2013 12:42 PM
Support for Chained Certificate
In controller versions earlier than 5.1.151.0, web authentication certificates can be only device certificates and should not contain the CA roots chained to the device certificate (no chained certificates).
With controller version 5.1.151.0 and later, the controller allows for the device certificate to be downloaded as a chained certificate for web authentication.
Certificate Levels
Level 0—Use of only a server certificate on WLC.
Level 1—Use of server certificate on WLC and a CA root certificate.
Level 2—Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.
Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.
WLC does not support chained certificates more than 10KB size on the WLC. However, this restriction has been removed in WLC 7.0.230.0 and later releases.
For more information please refer to the link-
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
08-22-2013 01:01 PM
Thanks for your feedback but Scott already helped me with this.
08-22-2013 01:10 PM
So did you get the pem file uploaded?
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
08-22-2013 01:25 PM
What I did was I combined all the x.509 certificates into one text file then simply changed the file extension to PEM from TXT. Then I created a new mykey.pem file with just the password of cert12. So both of these two files is in the same folder where I called it from. It sees the files but gives me the error message:
Loading 'screen' into random state - done
unable to load private key
error in pkcs12
So I think the mykey.pem file must be in a wrong format as it just contains one word, which is cert12. What do you think?
08-22-2013 03:00 PM
Your private key must be corrupt. How many times did you create a CSR? The CSR that you pasted into the certificate vendors website, is the private key you need to make sure you use.... also are you using OpenSSL v9.8?
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide