- Vom Hirn ins Terminal seit 1998.

Creating ROOT-CA-based certificates for Cisco Wireless Controller

Based on Cisco’s documentation at Generate CSR for Third-Party Certificates and Download Chained Certificates to the WLC I am creating a ROOT-CA-based certificate for my Cisco 2504 Wireless controller. Note: There are some pitfalls which needs to be considered before rolling out ROOT-CA-based certificates:

So I’m creating for the WLC a Certificate Signing Request (CSR) with OpenSSL.

Wireless Controller Certificate sign request

Then I’m uploading the CSR on my Virtual Machine where the Root-CA is “running” on.

As Root-CA I’m using a GNU/Debian Linux with Xca (X - Certificate and Key management) installed. It’s important to export the signed certificate with the complete certificate chain.

Export signed certificate including complete certificate chain

Before the certificate can imported on the WLC, the certificates (chain) and key must be combined into a final.pem file.

Combine everything into a final.pem file

Then I’m importing the final.pem file into the Wireless Controller.

    (Cisco Controller) >transfer download mode tftp
    (Cisco Controller) >transfer download datatype webadmincert
    (Cisco Controller) >transfer download serverip x.x.x.x
    (Cisco Controller) >transfer download path /
    (Cisco Controller) >transfer download filename final.pem
    (Cisco Controller) >transfer download certpassword xxxxxx
    (Cisco Controller) >transfer download start

If a certificate for a guest portal is required, it can be installed with the following command:

    (Cisco Controller) >transfer download datatype webauthcert

After the restart of the Wireless Controller I am verifying if the certificate is working as expected.

Wireless Controller Verify certificate in web browser