Information about Loading an Externally Generated SSL Certificate
You can use a supported transfer method such as TFTP server to download an externally generated SSL certificate to the controller. Follow these guidelines for using TFTP:
-
If you load the certificate through the service port, the TFTP server must be on the same subnet as the controller because the service port is not routable, or you must create static routes on the controller. Also, if you load the certificate through the distribution system network port, the TFTP server can be on any subnet.
-
A third-party TFTP server cannot run on the same PC as the Cisco Prime Infrastructure because the Prime Infrastructure built-in TFTP server and the third-party TFTP server require the same communication port.
Note
Chained certificates are supported for web authentication and management certificate.
CSR compliance with RFC-5280
With all parameters in CSR aligned with RFC-5280, there are some restrictions as follows:
-
emailAddress in CSR can only be 128 characters long.
-
If the CSR is generated using the CLI, the maximum number of characters (of all input combined for CSR) is limited to 500 including config certificate generate csr-***** .
Related Documentation
Generate CSR for Third-Party Certificates and Download Chained Certificates to the WLC—https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
Loading an SSL Certificate (GUI)
Procedure
Step 1 |
Choose . |
||
Step 2 |
On the Web Authentication Certificate page, check the Download SSL Certificate check box.
|
||
Step 3 |
In the Server IP Address field, enter the IP address of the TFTP server. |
||
Step 4 |
In the Maximum Retries field, enter the maximum number of times that the TFTP server attempts to download the certificate. |
||
Step 5 |
In the Timeout field, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate. |
||
Step 6 |
In the Certificate File Path field, enter the directory path of the certificate. |
||
Step 7 |
In the Certificate File Name field, enter the name of the certificate (webadmincert_name.pem). |
||
Step 8 |
(Optional) In the Certificate Password field, enter a password to encrypt the certificate. |
||
Step 9 |
Save the configuration. |
||
Step 10 |
Choose to reboot the controller for your changes to take effect, |
Loading an SSL Certificate (CLI)
Procedure
Step 1 |
Use a password to encrypt the HTTPS certificate in a .PEM-encoded file. The PEM-encoded file is called a web administration certificate file (webadmincert_name.pem). |
Step 2 |
Move the webadmincert_name.pem file to the default directory on your TFTP server. |
Step 3 |
To view the current download settings, enter this command and answer n to the prompt: transfer download start Information similar to the following appears:
|
Step 4 |
Use these commands to change the download settings: transfer download mode tftp transfer download datatype webadmincert transfer download serverip TFTP_server IP_address transfer download path absolute_TFTP_server_path_to_the_update_file transfer download filename webadmincert_name.pem |
Step 5 |
To set the password for the .PEM file so that the operating system can decrypt the web administration SSL key and certificate, enter this command: transfer download certpassword private_key_password |
Step 6 |
To confirm the current download settings and start the certificate and key download, enter this command and answer y to the prompt: transfer download start Information similar to the following appears:
|
Step 7 |
To save the SSL certificate, key, and secure web password to NVRAM so that your changes are retained across reboots, enter this command: |
Step 8 |
To reboot the controller, enter this command: |