Cisco Support Community
Community Member

WLC SSL Cert Question


We plan on trying to apply a public cert to our WLC for Guest Web Authentication.  The current Virtual IP is and we're running 5.2.193.  I found the URL for generating the CSR from Windows (see below), but had a question regarding the Virtual IP and A record.  Do we need to change the virtual IP to an available public IP with a matching A record?  If so, what would be the impact if we made this change first?  Thank you.


Cisco Employee

Re: WLC SSL Cert Question

Hi John,

the virtual ip has to be a non-public ip that doesn't exist in a network. So keep it

What you need to have the cert validated :

1) Have the certificate issued to a name, let's say "myCN" for example.

2) The Virtual interface on WLC must have "Virtual dns hostname" set to "myCN".

3) The DNS server that clients will be using needs to have a A record for "myCN" pointing to the virtual ip, usually

I hope this clarifies ?



Don't forget to rate answers that you find useful

Community Member

Re: WLC SSL Cert Question

Hi Nicolas,

Sorry for the delay.  Yes, that does make sense.  Where do you generate the CSR?  Our current guest DHCP points to the internet, so I guess I need to point them to our internal DNS and ensure the hostnames resolves to

Thank you.


Cisco Employee

Re: WLC SSL Cert Question

This is the procedure :

Hope this helps.



Don't forget to rate answers that you find useful

Community Member

Re: WLC SSL Cert Question

What happens when I want to put certs on several WLCs, all with virtual IPs?

Must/can I change to,, etc to keep DNS happy?

Cisco Employee

Re: WLC SSL Cert Question

Hi there,

No need to change that Virtual Interface IP address for multiple controllers (this will break mobility, among other things).  In fact, you can use the same 3rd Party Certificate on all of your WLCs as long as you have the same DNS Hostname specified under the Virtual Interface.



Cisco Employee

Re: WLC SSL Cert Question

The logic behind this is that you just need the DNS to return "" for the hostname. But when the client will ask for, remember that this never hits the network. It first goes through the client WLC and the client WLC immediately captures traffic and send webauth page.

That's why all WLCs can have at the same time because the clients never send traffic to "" on the network itself.


Community Member

Re: WLC SSL Cert Question

Hi all,

This is a great topic, but I'm still finding this confusing.

We have close to 100 controllers and 1000 APs.

Our controller virtual ip address is divided east/west and

Until recently, we didn't have guest wireless. Now we have two anchors in our east dmz with the virtual ip of They host dhcp and we use public DNS.

We haven't added the West Guest Anchors yet, but the road I'm going down would be that they would have a virtual IP of to be consistent with internal controller standards.

So here are my questions:

1. I want to get rid of the browser errors, so I'm getting a couple of certificates for the East Anchor Controllers. From what I am reading, I only need one certificate for both controllers with a virtual IP of and a FQDN of Is that correct?

2. When I get my Guest Controllers setup in the West (Virtual address of, I'll get another certficate for both of those controllers. FQDN would be Is that correct?

Due to project timeline, we have been adding east and west internal controllers (with different virual ip addresses) to the east Anchors. I haven't seen any issues in communication. I can correct this, but I'm not sure why I would?

Each site has their own mobilitiy group for the most part unless they are in very close proximity to each other.

We do have WCS and MSE - I don't think they play into this at all, but I thought I would mention this.

Really appreciate your feedback. Thanks.

Cisco Employee

Re: WLC SSL Cert Question

Your point 1 and 2 are correct. Except that you forgot 1 thing.

If you issue a certificate to "", that means that the client browser will verify this against the URL he's been redirect to.

So you need to configure the virtual interface hostname to "". Not a problem so far.

However, this is what will happen :

1)Client wants to surf

2)WLC spoofs google ip address and says "hey, how about you come over here to my webauth page ? URL is"

3)Client browser then wants to surf

4) Client browser realizes it has no idea about where that URL is and asks DNS

5) Your public DNS replies that it has no clue either.

So for point 5, you'd need the clients to be given a DNS server that would know about "" and would redirect it to

Then we'd have

6)Client sends HTTP GET request to with the URL ""

7) WLC doesn't let that go anywhere on the network and present authentication page
8) Client browser thinks the webauth page is legit.

So either you manage to have your DNS entry on the public DNS pointing to "". Or you build up a local DNS server that only knows "" and for all other queries, forwards to your public DNS.

All this pain because it is usually difficult to get a certificate issued by a 3rd party CA to the ip "" for example. If you can manage to get that then you can forget about all that hostname need.

Hope this clarifies.



Don't forget to rate answers that you find useful

CreatePlease to create content