We have a customer that has a need to get rid of the Securit Warning users see each time they log onto the Guest Wireless and go to use the internet. I believe the best way to do this is to install a 3rd party certificate. I found this link:
It worked for me with one MAJOR caveat. That document doesn't mention what do with a chained certificate. I think that all the newly-issued 3rd Party certs are chained.
In my limited PKI understanding, a chained cert comes from an intermediate CA, not the root. Therefore, in order to use a chained cert, the controller has to have three certs loaded: the root, the intermediate, and the device cert. I can't find the URL, but google "chained cert openssl" and I think you can figure out how to create the chain. If I remember correctly, you download the root and intermediate from the 3rd party cert provider, and just tack the device cert and private key onto the end of the file (assuming all files are in the same format, which I think needs to be PEM format). We used Entrust, and that's what I had to do. The only thing I can't recall for sure is the order of entries in the file: root->intermediate->device, or device->intermediate->root.
Be glad your customer is already on 22.214.171.124. 126.96.36.199 does not support chained certs.
Oh - one other "gotcha": make sure the clients also trust the intermediate CA. If they don't trust the root and the intermediate CA, then users will still get the security warning in their browser.
"There are two ways to eliminate the WLC cert prompt when clients are connecting to a web auth WLAN:
1. Download a trusted 3rd-party cert into the WLC as described by the link you referred to (Document ID: 70584). The documentation is pretty thorough and will provide step-by-step instructions. WLC 188.8.131.52 only supported unchained certs; WLC 184.108.40.206 or later releases support chained certs.
2. Alternatively, HTTPS can be disabled and clients will then be redirected from the WLC via HTTP only and no certificates will be used.
However, HTTPS will also be disabled for WLC management and security will be compromised."
Looks like 4.2.176 doesn't even support chained certificates.
I use RapidSSL for most of my deployments when it comes to getting rid of the certificate error. The issue a root CA cert so it is not chained. I would also suggest you get at least a 3 year cert so you don't have to worry about it for a while. It is also a a trusted CA:
Equifax Secure Global eBusiness CA-1
Here is a simple text file I put together for some of my peers.
According to the original bug report, the chained cert issue was "Fix in" in 220.127.116.11 and higher, although the bug report still lists that solution as "Upgrade to controller version 18.104.22.168 or higher".
I am 98% sure that I successfully set up and tested a chained SSL cert from GoDaddy for web auth on a 22.214.171.124 controller earlier this year because our cert provider stopped issuing unchained certs (I could very well be wrong!). From another reply in this thread, it looks like Geotrust still issues unchained certs, so that may be the quickest route for the OP.
The release notes for 126.96.36.199 indicate an open caveat:
CSCsq13174-Web authentication device certificates cannot contain the Certificate Authority (CA)
roots chained to the device certificate. However, device certificates should be able to be downloaded
as chained certificates (up to a level of two).
There is a new doc for loading chained certs on a WLC (it concurs with your 188.8.131.52 comment above, and it was updated in February of this year):
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...