Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WLC 4402 - Chained webauth certificate installation fails

I'm trying to install a webauth certificate -- it works fine when unchained, however once I add the additional information the installation fails.  I am using the same root and intermediate certificate information as last year, and it worked fine then.  I can recreate last year's pem file with the chained information and it installs fine, so it's only when I include the new device certificate information that it fails. The certificate installs fine when it's not chained, I'm not receiving any openssl errors, and I'm not using openssl 1.0. 

Here's what I have done per Cisco documented instructions:

  1. Create CSR and key. 
  2. Convert key (openssl rsa -in ssl.key -out ssl.key)
  3. Create and download certificate.
  4. Edit certificate to include intermediate and root.
  5. Create p12 certificate (openssl pkcs12 -export -in ssl.crt -inkey ssl.key -out final.p12 -clcerts -passin pass:check123 -passout pass:check123)
  6. Create final.pem certificate (openssl pkcs12 -in final.p12 -out final.pem -passin pass:check123 -passout pass:check123)

If I leave out step 4 I can successfully create an unchained certificate and upload it.  Once I include step 4, the WLC fails to install.

I have attached the output from debug pm pki enable when the installation fails.  All certificate information and files will be made available upon request.

Thanks in advance!


Hall of Fame Super Silver

WLC 4402 - Chained webauth certificate installation fails

If its a new certificate, you might want to verify if the they used a different root ca to sign the certificate.  Open the certificate in your PC and view the root certificate.  You can extract both the intermediate and the root and use that along with your new device certificate.

*** Please rate helpful posts ***