Installing 3rd Party SSL Certificate on CISCO WLC

Why do we need SSL Certification in the first place

Well there is HTTPS Server on the WLC enabled by default for web administration & Web Policy (Web Authentication/Pass through). Provide SSL Encryption between Wireless Clients & WLC to protect web authentication.The issue begins when an end user receives a security warning When Triggering the web policy page on the WLC. A Self-Signed Certificate (SSC) is installed on the WLC by default.The solution is to Deploy a 3rd Party Certificate Signed by a public CA*.

This blog will help you install a third party SSL Certificate on cisco WLC.

WLC Requirements:

Wireless controller Code Version 5.1.151.0, or higher.

OpenSSL 0.9.8 (1.0.0 is not compatible at this time)

Up to level 2 certificates are supported on the WLC

1024 and 2048-bit certificates are currently supported

STEP 1: install and open the OpenSSL application

1: If using Gnuwin32 OpenSSL for Windows: Open via Command Line: (C:\Program Files (x86)\GnuWin32\bin0

2: Issue the following command

req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem or

req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

3: provide the requested information including common name matching the DNS hostname

​​SLXLM.

4: once complete, two files are created under the bin directory. Mykey.pem – this is the key file which will be used once the certs arrive Myreq.pem – this is the request that will be sent to the CA

Be sure to keep both.

STEP 2: Obtaining certificate from your CA

1: login to your certificate web portal, and provide the myreq.pem file when creating the new certificate

Note: if an optional password was used when creating the request the request, be sure to provide this password to the CA when submitting.

2: your CA will notify you when your certificate is ready and provide a method to download

3: when downloading the certificate, ensure that you obtain the following:

Device Certificcate

Intermediate Certificate

Root Certificate

STEP 3:Changing the Certificate

1: Once you have all the certificate, copy and paste the content into a new file as follows

------BEGIN CERTIFICATE------ *Device cert* ------END CERTIFICATE------ ------BEGIN CERTIFICATE------ *Intermediate CA cert * ------END CERTIFICATE-------- ------BEGIN CERTIFICATE------ *Root CA cert * ------END CERTIFICATE------

2: save the file as All-certs.pem

3: move the file where OpenSSL resides

Mykey.pem

All-certs.pem

4: Open OpenSSL (via Command Line), and issue the following command

---this is converting All-certs.pem file to All-certs.p12 ---

pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:check123 -passout pass:check12

---this is converting All-certs.p12 file to final.pem ---

pkcs12 -in All-certs.p12 -out final.pem -passin pass:check123 -passout pass:check123

5: if all successful you will have a file called “final.pem” move the file in to the tftp root directory

STEP 4: Downloading final.pem to the WLC

1: Open your TFTP Server, and verify that final.pem is within the root directory on the server

2: login to your WLC via the web GUI, and choose the following path

WebGUI -> Security -> WebAuth -> Certificate

Check the box “ Download SSL Certificate”

3: when ready click apply in the upper right.

Most likely Reboot is required .

Troubleshooting Tips:

1: I experience some issue when issuing “req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem” command to create mykey.pem file and myreq.pem file, I did some research and find out that my windows was missing a file name “OpenSSL.CNF” if you have same problem create the file by simply copying and pasting the following commands and save it as such: if you don’t have this issue go to step 2.

https://docs.oracle.com/cd/E19509-01/820-3503/ggeyz/index.html

2, OpenSSL does not generate All-Certs.p12 or final.pem:

<>------Browse to the WebPolicy page and double –click the SSL icon in your browser to view the certificate.