Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Certificate questions for WebAuth clients


I have a few questions about certificates as I am debating on purchasing a 3rd party certificate for webauth clients. I'm running WCS and my 4404's are on

1. Which type of certificate is preferred, between self-signed and 3rd party (verisign, rapidssl, etc)? Which works better and is easier to set up between the two types?

2. Does the CN need to be the virtual interface's DNS hostname, or can it be the actual virtual address (

3. If it needs to be DNS, does the CN have to be '' or just 'hostname'?

4. Does the DNS name for the virtual interface need to be registered and active on the DNS servers?

5. If self-signed certificates are preferred, how do I change the parameters (ie, the CN) of the certificate on the controllers to remove the error messages of 'invalid hostname' by putting in a valid one?

6. Will having a valid certificate affect any other WLAN/SSID in some way (that don't have webauth)?

Thank you for your time on answering these.



Re: Certificate questions for WebAuth clients

If you have WCS you can use Self signed certificates . WCS can be use templates to pish the Valid AP list to controllers.

New Member

Re: Certificate questions for WebAuth clients

Thanks for the reply.

However, I still need to know the answers to at least questions 2,3,4 and 5 before I use self-signed certificates without the popup saying the certificates are invalid.

I already have self-signed running for my webauth SSID but I want to get rid of the error, hence the questions. The main reason being this is a campus environment so I do not have access to the client laptops- many students use their own.

Can anyone answer these please?

Re: Certificate questions for WebAuth clients

Although I don't have much experience with WCS my advice with certs is always buy one, might cost more but it's much less hassle! In answer to your questions:

1. 3rd party, go to 1 year cert, 60 bucks. Bargain and the whole process takes 20 minutes.

2. I believe the CN would need to be the fqdn,

3. See above.

4. Not as far as I know, never needed to do this for any other type of box.

5. Don't go there!

6. I'd be very surprised if it did.

Hope this helps. : )

New Member

Re: Certificate questions for WebAuth clients

Based on the advice to 'not go there' regarding configuring the CN of a self-signed cert, I've decided to go with 3rd party.

Now a new question surfaced once I started looking into where to get one. Am I looking for a root cert or an intermediate? I'm pretty sure it's root that I'm looking for but a little extra confirmation wouldn't hurt.

Re: Certificate questions for WebAuth clients

To be honest, I don't know what they're called : )

Having said that I get my certs from All you need do is generate a Certificate Signing Request, go to the web site andwork through the submission and order process pasting in your CSR when prompted. At the end of it you'll get an email with your certificate enclosed. After that the final step is to install the cert on your box. The corresponding root cert is built into Windows so no need for any installations on any client devices.

New Member

Re: Certificate questions for WebAuth clients

While the WCS runs on a Windows box, the two devices it controls (the WLC's) are where the certificates will be installed. These devices are Cisco hardware/software so they do not have windows.

Though based on that it's looking like I need to have a root cert generated.