Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC 5508 - Importing SSL certificate

I have a Cisco Wireless LAN Controller 5508, which uses 7.3.112.0.  I have the VeriSign certificate but I received two intermediate files (primary and secondary), and my question is, which one do I use?

I have referred to this document from Cisco already and found no information on there:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

Thanks!

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Re: WLC 5508 - Importing SSL certificate

Look at these links

https://supportforums.cisco.com/docs/DOC-16220

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: WLC 5508 - Importing SSL certificate

If that helped can you mark the post answered. Thanks

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
24 REPLIES
Hall of Fame Super Silver

Re: WLC 5508 - Importing SSL certificate

Look at these links

https://supportforums.cisco.com/docs/DOC-16220

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

WLC 5508 - Importing SSL certificate

Thanks Scott.  That's helpful!  Now I know what to do

Hall of Fame Super Silver

Re: WLC 5508 - Importing SSL certificate

If that helped can you mark the post answered. Thanks

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

WLC 5508 - Importing SSL certificate

I spoke to VeriSign and they don't know anything about these Certificate Levels.  Are there are any CAs out there that still give out one intermediate certificate that would work with the Cisco WLCs?

Hall of Fame Super Silver

WLC 5508 - Importing SSL certificate

Nope... after I think in July 2010, all vendors migrated to a 2048 root CA which made all certs chained.  They will no longer issue unchained certificates as that was a standard when they were using 1024.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

WLC 5508 - Importing SSL certificate

Thanks Scott.  So what does someone like me do who needs to use a SSL cert but can't install one because of this change?

New Member

WLC 5508 - Importing SSL certificate

Is there a way for me to use only one of the two intermediate certificates?

Hall of Fame Super Silver

WLC 5508 - Importing SSL certificate

Nope.... you need to combine all the intermediates along with the device cert and the root.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

WLC 5508 - Importing SSL certificate

Sorry if I sound stupid but in your previous replies, you sent a link with this following information in it:

Level 3 or higher is not supported

Level 3 - use of server certificate on WLC, two CA intermediate certificates and a CA Root Certificate.

So if I combine all the certificates as follows:

−−−−−−BEGIN CERTIFICATE−−−−−−
*Device cert*
−−−−−−END CERTIFICATE−−−−−−
−−−−−−BEGIN CERTIFICATE−−−−−−
*Intermediate CA primary cert *
−−−−−−END CERTIFICATE−−−−−−−−

−−−−−−BEGIN CERTIFICATE−−−−−−
*Intermediate CA secondary cert *
−−−−−−END CERTIFICATE−−−−−−−−

−−−−−−BEGIN CERTIFICATE−−−−−−

*Root CA cert *
−−−−−−END CERTIFICATE−−−−−−

It will work?  Do all of these certs need to be in X.509 format?

Thanks!

Hall of Fame Super Silver

WLC 5508 - Importing SSL certificate

That is a chained certificate.... if your looking at using a cert for management, you need an unchained cert, which is typically one intermediate.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

WLC 5508 - Importing SSL certificate

I need a cert for the users on the guest WLAN network as I want to set it up using the Web Authentication.  I don't need to install a certificate for management purposes.  Any tips or guidelines you can provide?

Hall of Fame Super Silver

WLC 5508 - Importing SSL certificate

Okay... so for webauth, you need to reference the guide I posted earlier.  Then request a general ssl cert from whomever.  You will get a device cert and a few intermediate certificates in which you will have to either export the root from the device cert or ask them to send you the root cert also.  Then you bundle them up using OpennSSL Light v9.8.... I think v1.0 works, but better safe than sorry.  Once you combine the cert, you upload that to the WLC and on the VIP interface you set the DNS hostname which is the FQDN of the cert.  Make sure DNS the guest will use can resolve the FQDN to the VIP.  Thats it.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

WLC 5508 - Importing SSL certificate

The guide you posted doesn't say that two intermediates are supported.  It says that two intermediates are not supported.  So how would this work if they are not supported and I still combine them?

Hall of Fame Super Silver

WLC 5508 - Importing SSL certificate

It's a level 2 cert: 

Certificate Levels

  • Level 0—Use of only a server certificate on WLC.
  • Level 1—Use of server certificate on WLC and a CA root certificate.
  • Level 2—Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.
  • Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.

So it would look like this:

------BEGIN CERTIFICATE------
*Device cert*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------ *Root CA cert * ------END CERTIFICATE------

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

WLC 5508 - Importing SSL certificate

Thanks for your help Scott.  I will give it a go and let you know.  I assume these are all in X.509 format, correct?

Hall of Fame Super Silver

WLC 5508 - Importing SSL certificate

Yes it should be.

Thanks,


Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

WLC 5508 - Importing SSL certificate

I tried this site:

http://www.my80211.com/cisco-wlc-cli-commands/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

It is really informative and follows the same steps as what you had recommended.  But I ran into a block.  I put all of the certs in one txt file and then simply renamed the file to All-certs.pem file and when I ran the pkcs command in OpenSSL 0.9.8, I get the following error message:

OpenSSL> pkcs12 -export -in C:\Certificates\All-certs.pem -inkey C:\Certificates\mykey.pem -out C:\Certificates\All-certs.p12 -clcerts -passin pass:cert2 -passout pass:cert2

Loading 'screen' into random state - done

unable to load private key

error in pkcs12

Any clue what I did wrong?

Hall of Fame Super Silver

WLC 5508 - Importing SSL certificate

Well if you followed it step by step, you should have a private key and that key should also be in the directory you are executing the command from.  The private key was generated when you created the CSR.  So you need that private key.... every time you generate a new CSR, that private key will change.  If you don't have it, well you will have to generate a new CSR and run through all the commands again.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

WLC 5508 - Importing SSL certificate

I'm actually trying it out with a SSL certificate we are already using on another server to see if it will work.  The pass is 100% correct.  The file mykey.pem only contains the password and I manually put it in there.  Now I think maybe because I manually saved the mykey.pem file with just the password, that is is why it is failing?

WLC 5508 - Importing SSL certificate

Support for Chained Certificate

In controller versions earlier than 5.1.151.0, web authentication certificates can be only device certificates and should not contain the CA roots chained to the device certificate (no chained certificates).

With controller version 5.1.151.0 and later, the controller allows for the device certificate to be downloaded as a chained certificate for web authentication.

Certificate Levels

Level 0—Use of only a server certificate on WLC.

Level 1—Use of server certificate on WLC and a CA root certificate.

Level 2—Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.

Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.

WLC does not support chained certificates more than 10KB size on the WLC. However, this restriction has been removed in WLC 7.0.230.0 and later releases.

For more information please refer to the link-

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

New Member

WLC 5508 - Importing SSL certificate

Thanks for your feedback but Scott already helped me with this.

Hall of Fame Super Silver

WLC 5508 - Importing SSL certificate

So did you get the pem file uploaded?

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

WLC 5508 - Importing SSL certificate

What I did was I combined all the x.509 certificates into one text file then simply changed the file extension to PEM from TXT.  Then I created a new mykey.pem file with just the password of cert12.  So both of these two files is in the same folder where I called it from.  It sees the files but gives me the error message:

Loading 'screen' into random state - done

unable to load private key

error in pkcs12

So I think the mykey.pem file must be in a wrong format as it just contains one word, which is cert12.  What do you think?

Hall of Fame Super Silver

WLC 5508 - Importing SSL certificate

Your private key must be corrupt.  How many times did you create a CSR?  The CSR that you pasted into the certificate vendors website, is the private key you need to make sure you use.... also are you using OpenSSL v9.8? 

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
2354
Views
0
Helpful
24
Replies
CreatePlease login to create content