Skip to content

Afroz Ahmad

My Official Blog


Category: Wireless



SSL Certificates on the WLC :-

•Internal https server on the WLC is enabled by default for Web Administration & Web Policy (Web Authentication/Passthrough)
•Provides SSL encryption between Wireless clients and WLC to protect Web Authentication credentials.


•End user receives a security warning when triggering the web policy page on the WLC.
•WLC does not have validated public signed certificate. A self-signed certificate (SSC) is installed on the WLC by default.


•Deploy a 3rd party certificate signed by a Public CA.
•Wireless controller code version or higher.
•OpenSSL 0.9.8 (1.0.0 is not compatible at this time)
•Up to Level 2 certificates are supported on the WLC.
•level 0 : Device Certificate
•level 1 : Device & Root Certificate
•level 2 : Device, intermediate and Root Certificate.
•Level 3 certificates and not currently supported (CSCtk65761)
•Device, Co-intermediate , Intermediate, Root Certificates
•1024 and 2048 bit certificates are currently supported.
•Ask CA what certificates will be provided in chain.

Step-1 Generate a CSR using OpenSSL 0.9.8

1.Install and Open the OPENSSL application
  • If using GnuWin32 OpenSSL for Windows: Open via command line:
  • C:\Program Files\GnuWin32\OpenSSL\bin\openssl.exe
2.Issue the following command
  • OpenSSL>req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem
2.Note:- Either 1024 or 2048 bit requests can be used on WLC.
3.Provide the requested information including Common Name. Common name must match DNS hostname on the virtual interface.
4.Once Completed two files will be created.
  • myreq.pem – This is the request that will be sent to CA.
  • mykey.pem – This is the key file which will be used when certs arrive.

Step-1 Sample Output

The output should look like below.

OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem -conf
ig “C:\Users\v763807\Desktop\openssl-0.9.8g_win32\openssl-0.9.8g_win32\openssl.c
Loading ‘screen’ into random state – done
Generating a 2048 bit RSA private key
writing new private key to ‘mykey.pem’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:FI
State or Province Name (full name) [Some-State]:Finland
Locality Name (eg, city) []:Helsinki
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABCD
Organizational Unit Name (eg, section) []:Network
Common Name (eg, YOUR name) []
Email Address []

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:hello123       –> We should remember this password, it will be used later in final step.
An optional company name []:

Step-2 Obtain certificate from CA

1.Login to  certificate authority’s web portal , in our case “THWATE”. Provide the myreq.pem file when creating a new certificate.
2.Note: If an optional password was used when creating the request, be sure to provide this password to the CA when submitting.
3.Your CA will notify you when your certificate is ready and provide a method to download.
4.When downloading the certificate , ensure that you obtain the following. Copy certificates in a notepad , in below order and name it as “All-certs.pem”.
       1.Device Certificate
       2.Intermediate Certificate
       3.Root Certificate

Step-3 Chaining the Certificates

When we receive the certificate for another entity, we might need to use a certificate chain to obtain the root CA certificate. The certificate chain, also known as the certification path , is a list of certificates used to authenticate an entity. The chain , or path begins with the certificate of that entity and each certificate in the chain is signed by the entity identified by the next certificate in the chain. The chain terminates with a root CA certificate. The root CA certificate is always signed by CA itself. The signature of all certificates in the chain must be verified until the root CA certificate is reached. Below figure  illustrates a certification path from the certificate owner to the root CA, where the chain of trust begins.

Cert Chain

1.Open OpenSSL (via command line) and issue the following commands.
       1.openssl>pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:admin123 -passout pass:admin123
       2.openssl>pkcs12 -in All-certs.p12 -out final-cert.pem -passin pass:admin123 -passout pass:admin123
       3.Note:- In the above commands we must enter a password for the parameters -passin and -passout . The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the WLC. Here password if “hello123”
2.If all successful , we will have a file called “final-cert.pem”. Move this file into our TFTP(L00SRV1083) Root directory.

Step-4 Downloading “final-cert.pem” to the WLC

1.Open our TFTP server and verify that “final-cert.pem” is within the Root directory on the server.
2.Login to the WLC via a Web  GUI and choose the following path:
            1.Web GUI –> Security –> Web Auth –> Certificate :
            2.Check the box : ” Download SSL Certificate“
             3.When ready click “Apply” in the upper right hand corner of the page.

Using DNS to Validate the Common Name

1.Configure WLC’s virtual interface Hostname as the common name found on the certificate. Reboot required.
      1.Example:-  –> or x.x.x.x
2.On the clients DNS server . Configure a DNS A record  pointing our FQDN to the virtual interface ip address.
           1.Example:-  –>
           2.Three options when deploying DNS
           3.Client can use an external DNS server (public) . This requires a public A record on “”
           4.Client can use an internal DNS server within the enterprise. Simply create the A record on the internal servers.
           5.Deploy a DNS server in the DMZ.


1. OpenSSL does not Generate All-certs.p12 or final-cert.pem:
      1.Verify that All-certs.pem file has the certification in the following order: Device(top), Intermediate (Middle) , Root (Bottom)
       2.Verify that mykey.pem file is the same used to originally create the CSR (myreq.pem)
       3.If an optional password was set within the CSR, ensure that this password was provided to the CA when requesting for the certificate.
2. Certificate Fails to install to install to the WLC
        1.Run the “debug transfer all enable ” command on WLC CLI
        2.Verify that the passin/passout password is used when downloading to the WLC
3. Client still receives security warning after successful installtion:
        1.Browse to the Web Policy page and double click the SSL icon in your browser to view the certificate. Review the certificate path.
FAQs :-
1.Can i install the same certificate on multiple WLCs ?
      1.Yes, the Virtual interface IP address and hostname must be same on all WLCs.
2.If i am using Guest Anchor WLC , where do i need to install the certificate?
      1.The 3rd party SSL certificate is only required on the Anchor WLC.
3.My company has a wildcard SSL certificate. Can i use this with the WLC?
      1.Yes, however please ensure the that the certificate is a level 2 or lower.
4.My certificates are not in .pem format . Can i convert these ?
      1.Yes , we can use OpenSSL to perform the conversion or use following web-based tool:
      2. (External Site)
5.Additional Links:

Cisco Prime NCS 1.3:-  This is login page after upgrade.

NCS 1.3

I would personally recommend to upgrade Cisco Prime NCS 1.2 to version 1.3. There are lots of bugs in release 1.2 , you will instantly feel that after the upgrade to 1.3.

Regarding the benefit of the upgrade you can check the release note for the upgrade from the following Link it will show you the solved bugs :

You can download the upgrade file from following Link you will find the “PI-VA-” under 1.3 and if you have Cisco Prime NCS 1.2 already installed and running then only download “PI-upgrade-bundle-”:

  •  Here are the steps for the upgrade :-
  • Open a console session and log in to the existing server as admin. Enter the password when prompted.
  •  Copy the upgrade file downloaded from to the default repository:defaultRepo
  • admin# copy source disk:/defaultRepo

Source:- source is the application upgrade file’s URL, path and filename (for example: FTP://<YourFTPServer>/PI-upgrade-bundle-

disk is the disk and path to the local defaultRepo.

  • Stop the Prime Infrastructure server. Enter the command “ncs stop”.
  • Run the application upgrade:

admin# application upgrade PI-upgrade-bundle- defaultRepo

  • This step can take 30 minutes or more to complete, depending on the size of the application database.


Here is a summary of the WCS to Prime Infrastructure migration process:
1. Order a WCS to PI 1.2 migration. The correct product ID is: R-W-PI12-M-K9
  • Under this product ID, you will be able to select 0-priced capacity licenses. Please select a combination of these, so that the total number of licenses matches the maximum number of access points licensed on the existing WCS system. Support for the new PI installation is optional, but strongly recommended.
  • If you plan to use a physical appliance, you will need to order that separately, using the product ID PRIME-NCS-APL-K9. Again, hardware support is optional, but strongly recommended. Application support does not automatically provide hardware support. You will need to order both separately, if needed. Make sure to order the appliance with version 1.1 software.
2. Create a new installation of NCS
  • If you chose a physical appliance, do initial configuration and check that it is running software, by opening a SSH connection to it and entering the show version command. If you have a different version of software running, you will need to open a TAC case to do an upgrade/downgrade (
  • For virtual appliance here are the very initial steps. 
  • Prerequisite :  Server Requirements
  • Installing the Cisco Prime Infrastructure Virtual Appliance
  • Installing the Cisco Prime Infrastructure OVA
  • At this point we are able to https://<prime ip> , this will get us to the default license page that there is no license currently available in the device. We need a 30 days evaluation BASE license  to install other licenses on the device based on the UDI/VUDI name.
  • If you chose a virtual appliance, send an e-mail to , to get temporary download rights to the NCS OVA file. For this, you will need a valid CCO account linked to a valid e-mail address. Deploy the OVA template onto VMware and do initial configuration through CLI.
  • Hardware and software installation guides:
3. Install temporary licenses to activate the NCS appliance.
  • Open the web GUI of your new NCS installation. It will automatically open the license management section. From there you will need to copy the UDI/VUDI string and send it via e-mail to You will receive an evaluation license file via automated e-mail that will enable you to do step 4. Processing the request usually takes around 24 hours. You can install the file using the NCS web GUI license management tool. You can find more information about managing licenses here:
4. Do a WCS to NCS data migration.
5. Upgrade NCS to Prime Infrastructure
6. Install the permanent “Lifecycle” licenses that you received by ordering the migration product ID.
  • In my case i have received 3 licenses  for NCS . Install it from the license center under administration tab.
7. At this point your NCS Prime Infrastructure installation is ready to use.Below is the view of Wireless clients connected to your networks, there SSID’s used, encryption method, frequency band, etc. You can further optimize your NCS box to get the most out of it.