How do I install a certificate onto Cisco WLAN Controller (WLC)?

Problem

How do I install a certificate onto Cisco WLAN Controller (WLC)?

Resolution

Obtaining the Correct Files

When you download your certificate, ensure you select the PEM with chain option. In the SSL Subscriber portal, this option is at the bottom. As an Administrator, you must first go to the Advanced Download button.
When the file is downloaded, open it using a simple plain text editor (such as Notepad) and verify that the contents follow this format:
 
------BEGIN CERTIFICATE------
*End Entity Certificate Content*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA Certificate Content*
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA Certificate Content*
------END CERTIFICATE------
 
Note: In order to work with the code below, rename the file to pemchain.pem.  You do not have to do this, however you must change the filename in the command below to match the name of your PEM with chain Format filename.
If you created the CSR directly within the WLC (which means that your version of WLC is also greater than 8.3.102) then you can skip directly to the Uploading Your Certificate section below.  If you used OpenSSL to create your CSR, then you must continue on with this section.
 
Once you verify that the file is correct, upload it to the same directory as your mykey.key private key that you created along with the CSR.
 
You will need to run the following commands in OpenSSL to combine the files:
 
openssl>pkcs12 -export -in pemchain.pem -inkey mykey.key -out mycert.p12 -clcerts -passin pass:[password] -passout pass:[password]

openssl>pkcs12 -in mycert.p12 -out mycert.pem -passin pass:[password] -passout pass:[password]
Note: Any of the parameters above that are underlined are variable to your scenario and may differ based on file names and other criteria.
Note: In the above command you must enter a password for the parameters -passin and -passout. The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the WLC.

Uploading Your Certificate

Complete these steps in order to download the chained certificate to the WLC with the CLI:
Move either the pemchain.pem file (for WLC CSR generation) or the mycert.pem (for OpenSSL CSR generation) file to the default directory on your TFTP server.
In the CLI, issue these commands in order to change the download settings:
>transfer download mode tftp
>transfer download datatype webauthcert
>transfer download serverip <TFTP server IP address>
>transfer download path <absolute TFTP server path to the update file>
>transfer download filename [filename].pem
Enter the password for the .pem file so that the operating system can decrypt the SSL key and certificate.
>transfer download certpassword [password]
Note: The value for certpassword must be the same as the -passout parameter you set earlier. If you used WLC itself to generate the CSR, then you can leave the certpassword field blank.
Issue the transfer download start command in order to view the updated settings. Then enter 'y' at the prompt in order to confirm the current download settings and start the certificate and key download.
>transfer download start
 
Mode............................................. TFTP
Data Type........................................ Site Cert
TFTP Server IP................................... 10.77.244.196
TFTP Packet Timeout.............................. 6
TFTP Max Retries................................. 10
TFTP Path........................................./
TFTP Filename.................................... [filename].pem

This might take some time.
Are you sure you want to start? (y/N) y

TFTP WLC cert transfer starting.

Certificate installed.


Reboot the switch to use new certificate.

Reboot the WLC in order for the changes to take effect.

Add Feedback