Creating ROOT-CA-based certificates for Cisco Wireless Controller

Written by Stefan on Thu 10 January 2019. Posted in Blog. Tags: #cisco  #wifi  #security 

Based on Cisco’s documentation at Generate CSR for Third-Party Certificates and Download Chained Certificates to the WLC I am creating a ROOT-CA-based certificate for my Cisco 2504 Wireless controller. Note: There are some pitfalls which needs to be considered before rolling out ROOT-CA-based certificates:

• With WLC version 8.3.102 the CSR can be created on the WLC

• With WLC version below 8.3 the CSR must be created manually with OpenSSL

• Maximum key size of 2.048 bits

• CA generated certificates with SHA2 with version 7.0.250

• After import of the ROOT-CA signed certificate, the WLC need a reboot

So I’m creating for the WLC a Certificate Signing Request (CSR) with OpenSSL.

Then I’m uploading the CSR on my Virtual Machine where the Root-CA is “running” on.

As Root-CA I’m using a GNU/Debian Linux with Xca (X - Certificate and Key management) installed. It’s important to export the signed certificate with the complete certificate chain.

Before the certificate can imported on the WLC, the certificates (chain) and key must be combined into a final.pem file.

Then I’m importing the final.pem file into the Wireless Controller.

    (Cisco Controller) >transfer download mode tftp
    (Cisco Controller) >transfer download datatype webadmincert
    (Cisco Controller) >transfer download serverip x.x.x.x
    (Cisco Controller) >transfer download path /
    (Cisco Controller) >transfer download filename final.pem
    (Cisco Controller) >transfer download certpassword xxxxxx
    (Cisco Controller) >transfer download start

If a certificate for a guest portal is required, it can be installed with the following command:

    (Cisco Controller) >transfer download datatype webauthcert

After the restart of the Wireless Controller I am verifying if the certificate is working as expected.