Creating ROOT-CA-based certificates for Cisco Wireless Controller

Based on Cisco's documentation at Generate CSR for Third-Party Certificates and Download Chained Certificates to the WLC I am creating a ROOT-CA-based certificate for my Cisco 2504 Wireless controller. Note: There are some pitfalls which needs to be considered before rolling out ROOT-CA-based certificates:

With WLC version 8.3.102 the CSR can be created on the WLC
With WLC version below 8.3 the CSR must be created manually with OpenSSL
Maximum key size of 2.048 bits
CA generated certificates with SHA2 with version 7.0.250
After import of the ROOT-CA signed certificate, the WLC need a reboot

So I'm creating for the WLC a Certificate Signing Request (CSR) with OpenSSL.

Wireless Controller Certificate sign request

Wireless Controller Certificate sign request

Then I'm uploading the CSR on my Virtual Machine where the Root-CA is "running" on. As Root-CA I'm using a GNU/Debian Linux with Xca (X - Certificate and Key management) installed. It's important to export the signed certificate with the complete certificate chain.

Export signed certificate including complete certificate chain

Export signed certificate including complete certificate chain

Before the certificate can imported on the WLC, the certificates (chain) and key must be combined into a final.pem file.

Comine everything into a final.pem file

Comine everything into a final.pem file

Then I'm importing the final.pem file into the Wireless Controller.


(Cisco Controller) >transfer download mode tftp
(Cisco Controller) >transfer download datatype webadmincert
(Cisco Controller) >transfer download serverip x.x.x.x
(Cisco Controller) >transfer download path /
(Cisco Controller) >transfer download filename final.pem
(Cisco Controller) >transfer download certpassword xxxxxx
(Cisco Controller) >transfer download start
Installing Web Admin Certificate on Wireless Controller

If a certificate for a guest portal is required, it can be installed with the following command:


(Cisco Controller) >transfer download datatype webauthcert
Installing Web Authentication Certificate on Wireless Controller

After the restart of the Wireless Controller I am verifying if the certificate is working as expected.

Wireless Controller Verify certificate in web browser

Wireless Controller Verify certificate in web browser

Search my web site