Based on Cisco’s documentation at Generate CSR for Third-Party Certificates and Download Chained Certificates to the WLC I am creating a ROOT-CA-based certificate for my Cisco 2504 Wireless controller. Note: There are some pitfalls which needs to be considered before rolling out ROOT-CA-based certificates:
With WLC version 8.3.102 the CSR can be created on the WLC
With WLC version below 8.3 the CSR must be created manually with OpenSSL
Maximum key size of 2.048 bits
CA generated certificates with SHA2 with version 7.0.250
After import of the ROOT-CA signed certificate, the WLC need a reboot
So I’m creating for the WLC a Certificate Signing Request (CSR) with OpenSSL.
Then I’m uploading the CSR on my Virtual Machine where the Root-CA is “running” on.
As Root-CA I’m using a GNU/Debian Linux with Xca (X - Certificate and Key management) installed. It’s important to export the signed certificate with the complete certificate chain.
Before the certificate can imported on the WLC, the certificates (chain) and key must be combined into a final.pem file.
Then I’m importing the final.pem file into the Wireless Controller.
If a certificate for a guest portal is required, it can be installed with the following command:
After the restart of the Wireless Controller I am verifying if the certificate is working as expected.