Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with certificates on 2504 WLC

We have a Wireless Lan Controller 2504 and I'm trying to get a 3rd party certificate on it.

I've followed the Cisco instructions (below) and the certificate uploaded OK.  However it's not presenting the chain and so clients still get an error.  If I open the certificate on Windows then I see the full chain, however if I look at it on a browser connected to the wifi then don't see the chain.

Apparently in older versions of the controller software this is a known issue.  However I beleive we have > v7.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

Any ideas would be very much appreciated.

This is from a browser connected

Capture.PNG

This is the .pem file when opened in windows

on windows.png

This is the WLC version ( I assume, if I'm wrong, how do I get the WLC version? )

wifi version.PNG

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Help with certificates on 2504 WLC

Certificate these days are chained and you are looking at the wrong doc.  Here is the doc for chained certificates:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
11 REPLIES
Hall of Fame Super Silver

Help with certificates on 2504 WLC

Certificate these days are chained and you are looking at the wrong doc.  Here is the doc for chained certificates:

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
New Member

Help with certificates on 2504 WLC

Hi

Thanks for the quick response.  I ran through all the steps in that document.

Before uploading the .pem I opened it in notepad and could see all thrree certificates in there.  So it looks like I'm uploading a chained certificate, but only seeing the unchained on the browser.

Hall of Fame Super Silver

Re: Help with certificates on 2504 WLC

When you open up the cert your got, make sure you export the root and the intermediates which can be multiple intermediates. Make sure they are in the proper order as shown on the doc and finish the conversion using OpenSSL 0.9.8, don't use OpenSSL v1.0

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Help with certificates on 2504 WLC

Andrew

Give this a read ...

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: Help with certificates on 2504 WLC

I'm pretty sure I've done everything right.  If I import the final.pem into my Windows cert store then it chains correctly.  I'm using OpenSSL 0.9.8 as it's recommended in the Cisco documentation. 

George, I had a read of the link on the my80211 site, but it's basically the same info as the official Cisco one that Scott sent. 

Any other ideas ? 

Re: Help with certificates on 2504 WLC

When you did the upload of the cert did you do a

debug pm pki enable

?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: Help with certificates on 2504 WLC

No, I wasn't aware of that command (I don't know much about the networking side of things).

I redid the upload with that enabled and received the following

TFTP Webauth cert transfer starting.

TFTP receive complete... Installing Certificate.

*sshpmLscTask: Jan 24 16:27:09.230: sshpmLscTask: LSC Task received a message 4

*TransferTask: Jan 24 16:28:59.152: sshpmAddWebauthCert: Extracting private key from webauth cert and using bundled pkcs12 password.

*TransferTask: Jan 24 16:29:01.430: sshpmDecodePrivateKey: calling ssh_skb_decode()...

*TransferTask: Jan 24 16:29:03.688: sshpmDecodePrivateKey: SshPrivateKeyPtr after skb_decode: 0x2df587dc

*TransferTask: Jan 24 16:29:03.688: sshpmAddWebauthCert: got private key; extracting certificate...

*TransferTask: Jan 24 16:29:03.693: sshpmAddWebauthCert: extracted binary cert;doing x509 decode

*TransferTask: Jan 24 16:29:03.693: sshpmAddWebauthCert: doing x509 decode for 1364 byte certificate...

*TransferTask: Jan 24 16:29:03.698: sshpmAddWebauthCert: freeing x509 certificate...

*TransferTask: Jan 24 16:29:03.699: sshpmAddWebauthCert: adding cert/key to id able; current/max: 5/7

*TransferTask: Jan 24 16:29:03.699: sshpmGetIdCertIndex: called to lookup cert >bsnSslWebauthCert<

*TransferTask: Jan 24 16:29:03.699: sshpmGetIdCertIndex: found match in row 4

*TransferTask: Jan 24 16:29:03.699: sshpmAddWebauthCert: deleting bsnSslWebauthCert (row 4)

*TransferTask: Jan 24 16:29:03.700: sshpmAddWebauthCert: freeing cert (fn: 0x10774260).

*TransferTask: Jan 24 16:29:03.700: sshpmAddWebauthCert: freeing key (fn: 0x11263324).

*TransferTask: Jan 24 16:29:03.700: sshpmAddWebauthCert: adding new cert to row 4 (bsnSslWebauthCert).

*TransferTask: Jan 24 16:29:03.701: sshpmAddWebauthCert: writing cert to bsnSslWebauthCert.crt

*TransferTask: Jan 24 16:29:03.701: sshpmWriteCredentialFile: called to write ; certptr 0x2eb6c378, length 1364

*TransferTask: Jan 24 16:29:03.701: sshpmAddWebauthCert: exporting private key

*TransferTask: Jan 24 16:29:03.705: sshpmAddWebauthCert: writing key to bsnSslWebauthCert.prv

*TransferTask: Jan 24 16:29:03.705: sshpmWriteCredentialFile: called to write ; certptr 0x2eb670ec, length 1190

*TransferTask: Jan 24 16:29:03.705: sshpmAddWebauthCert: Unlinking the previously created P12-PEM file webauth_p12.pem

*TransferTask: Jan 24 16:29:03.706: sshpmAddWebauthCert: Created File webauth_p12.pem

Certificate installed.

Re: Help with certificates on 2504 WLC

Did you reboot the WLC after cert install?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
__________________________________________________
"Im like bacon, I make your wireless better"

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Hall of Fame Super Silver

Re: Help with certificates on 2504 WLC

Andrew,

Look at the root CA on the certificate and make sure that the root CA is also listed in the Windows machine CA trusted root. If not, then that is your issue, the CA vendor used a newer root CA to generate your certificate. This has happened to me before but the CA vendor had no problem issuing the cert from another root CA.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Help with certificates on 2504 WLC

Thanks everyone for their help.  This is resolved now.  A few things I learned

1)     I beleive the certificate authority were using was causing us problems.  I changed CA's and it seemed better

2)     In their step 5, they say to create a text file with cert, intermediate and root.  This didn't work for me.  Open SSL had issues.   I just used two certs (as below) and it was fine. 

   ------BEGIN CERTIFICATE------

   *Device cert*

   ------END CERTIFICATE------

   ------BEGIN CERTIFICATE------

   *Intermediate CA cert *

   ------END CERTIFICATE--------

Hall of Fame Super Silver

Help with certificates on 2504 WLC

Interesting... I have always had to combine the device the intermediate, can be two, and the root.  At least you did get it working:)

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
844
Views
0
Helpful
11
Replies
CreatePlease login to create content