How to Install 3rd Party SSL Certificate on Cisco WLC for Guest Access

The Cisco Wireless Lan Controllers have an internal https server which is enabled by default for web administration & web policy.
It provides SSL encryption between wireless clients and the WLC to protect Web Authentication credentials.

The Problem:

End users receive a Security Warning then accessing the Web Policy page on WLC (trying to get guest access) A self-signed certificate is installed on the WLC by default.

You can accept the warning and carry on but this action concerns guest users.

The Solution:

You can either disable the https encryption (not a good idea) as this means any credentials used will be passed in clear text.

Or you can deploy a 3rd party certificate signed by a public certificate authority.

This Tutorial will explain how to install a 3rd party ssl certificate on a cisco wlc for guest access.

1# Generate CSR using OpenSSL

The first step in the process is to generate a Certificate Signing Request (CSR) which is what you send of to the Certificate Authority to purchase your signed certificate.

You will need to ensure your wireless lan controller is running code version 5.1.151.0 or higher

You will also need a version of OpenSSL

OpenSSL Version 0.9.8 is the recommended version; however, as of Version 7.5, support for OpenSSL Version 1.0 was also added.
(Refer to Cisco bug ID CSCti65315 – Need Support for certificates generated using OpenSSL v1.0).

For this tutorial I will be using version 0.9.8 and running it on windows 7 as it that is what I currently have installed on my laptop.

You can download Open SSL for Windows from here and for Linux from here

Once you have installed OpenSSL navigate to where you have installed it – for me I put it in C:\openssl 

Change directory to /bin and then run openssl by typing openssl

Next issue the following command

req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

At this point you might get this error

unable to load config info from /user/local/ssl/openssl.cnf

To fix this you can download a sample openssl.cnf file from here.

Save the file in C:\openssl

Then run the command to generate the CSR again but this time specifying the full path to the openssl.cnf file

req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem -config C:\openssl\openssl.cnf

You should now be looking at this screen

Now you need to enter the requested information Yours will be specific to your company.

Country Code: GB

Sate or Province Name (I skipped this one)

Locality Name: London 

Organization Name: (This is the name of the Company for which you need the certificate – you can get the exact information from the DNS lookup of the domain name of external facing internet.

Orgainizational Unit Name: IT (I always put IT in here)

Common Name: This is the important one 

The common name is the DNS name that you have specified on the virtual interface of the wireless controller.

e.g guest-wireless.companyname.com

Email Address: (Email of the person responsible for certificates)

You can then specify a password if you want

Just hit enter if you want to skip this step.

You should now be back to the OpenSSL> prompt and you should have 2 files in your C:\openssl\bin folder

In my case myreq.pem and mykey.pem

The myreq.pem file is the request that will be sent to the CA 

The mykey.pem is the key file which will be used once the cert arrives. 

Now you need to purchase your SSL Certificate. There are many suppliers out there but if you want to try this out there are many that offer a free cert for up to 90 days.

This is perfect if you want to test out the process before spending any money, if it works then you can purchase a 3 year certificate.

I have been using Comodo – https://ssl.comodo.com/free-ssl-certificate.php

You just need to open up the myreq.pem file with notepad and copy the contents of the file into the certificate request.

You need to copy all the text which will look like this.

—–BEGIN CERTIFICATE REQUEST—–
MIIDUDCCArkCAQAwdTEWMBQGA1UEAxMNdGVzdC50ZXN0LmNvbTESMBAGA1UECxMJ
TWFya2V0aW5nMREwDwYDVQQKEwhUZXN0IE9yZzESMBAGA1UEBxMJVGVzdCBDaXR5
(data removed for security)
Rq+blLr5X5iQdzyF1pLqP1Mck5Ve1eCz0R9/OekGSRno7ow4TVyxAF6J6ozDaw7e
GisfZw40VLT0/6IGvK2jX0i+t58RFQ8WYTOcTRlPnkG8B/uV
—–END CERTIFICATE REQUEST—–

Chaining your certificates

When you receive your signed certificates back from the certificate authority you have to chain them together you should receive 3 or 4 files,

1. Device Certificate
2. Intermediate Certificate
3. Root Certificate

In the case of Comodo I received 4 files

The Device certificate was the guestwireless_rogerperkin_co_uk file

The Intermediate was both the Comodo files

The Root Certificate was the AddTrustExternalCARoot file

If you are unsure of which files are which contact the tech support of the CA and they are usually very helpful.

Create All-certs.pem file

Now you need to open each file in turn in the order of Device, Intermediate and Root and paste them into one document as below

—–BEGIN CERTIFICATE REQUEST—–
** Device Cert Info **
—–END CERTIFICATE REQUEST—–

—–BEGIN CERTIFICATE REQUEST—–
** Intermediate Cert Info**
—–END CERTIFICATE REQUEST—–

—–BEGIN CERTIFICATE REQUEST—–
** Root Cert Info **
—–END CERTIFICATE REQUEST—–

Now save this file as allcerts.pem

GoDaddy SSL Certificates

For information if you use godaddy.com  you will receive back 2 files a Root Certificate and a combined certificate.

You need to copy the contents of the combined cert into notepad followed by the root and save this file as all-certs.pem

Whichever method you choose you will end up with a file called all-certs.pem

Move this file into the C:\openssl\bin folder where you should still have the mykey.pem file

Now you need to go back into OpenSSL so you are back at this screen

Now enter the following command

pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:check123 -passout pass:check123

Followed by this command

pkcs12 -in All-certs.p12 -out final.pem -passin pass:check123 -passout pass:check123

You should get a MAC verified OK message at the end

You now have your final SSL certificate called final.pem which you need to upload to the WLC

NOTE: check123 is a password and can be any value you want, it is used when uploading the certficiate to the WLC

The easiest method is to go to Security / Web Auth / Cert

Tick the box that says download SSL Certificate

Enter the IP address of your TFTP server, the path and filename and the password you created above, in this case check123

The certificate will be uploaded and you will see all the details of your certificate on the screen.

The controller will have to be rebooted for certificate to take effect.

Update DNS

One final step is to update your DNS with the entry of the information on the Virtual interface.

If your guest clients resolve their DNS externally this needs to be done on your external DNS

A simple A record defining 1.1.1.1 (or whatever IP you have on your Virtual interface) pointing to the name you configured on your virtual interface and also have in your certificate e.g guest-wireless.companyname.com

That should be it. When guest users connect to your guest network they will no longer be prompted with a certificate error.

There are two very good videos from Cisco here which describe the process

Part 1

Part 2