•Internal https server on the WLC is enabled by default for Web Administration & Web Policy (Web Authentication/Passthrough)
•Provides SSL encryption between Wireless clients and WLC to protect Web Authentication credentials.
•End user receives a security warning when triggering the web policy page on the WLC.
•WLC does not have validated public signed certificate. A self-signed certificate (SSC) is installed on the WLC by default.
•Deploy a 3rd party certificate signed by a Public CA.
•Wireless controller code version 5.1.151.0 or higher.
•OpenSSL 0.9.8 (1.0.0 is not compatible at this time)
•Up to Level 2 certificates are supported on the WLC.
•level 0 : Device Certificate
•level 1 : Device & Root Certificate
•level 2 : Device, intermediate and Root Certificate.
•Level 3 certificates and not currently supported (CSCtk65761)
•Device, Co-intermediate , Intermediate, Root Certificates
•1024 and 2048 bit certificates are currently supported.
•Ask CA what certificates will be provided in chain.
Step-1 Generate a CSR using OpenSSL 0.9.8
1.Install and Open the OPENSSL application
- If using GnuWin32 OpenSSL for Windows: Open via command line:
- C:\Program Files\GnuWin32\OpenSSL\bin\openssl.exe
2.Issue the following command
- OpenSSL>req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem
2.Note:- Either 1024 or 2048 bit requests can be used on WLC.
3.Provide the requested information including Common Name. Common name must match DNS hostname on the virtual interface.
4.Once Completed two files will be created.
- myreq.pem – This is the request that will be sent to CA.
- mykey.pem – This is the key file which will be used when certs arrive.
Step-1 Sample Output
The output should look like below.
OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem -conf
ig “C:\Users\v763807\Desktop\openssl-0.9.8g_win32\openssl-0.9.8g_win32\openssl.c
nf”
Loading ‘screen’ into random state – done
Generating a 2048 bit RSA private key
……………………………………………………………..+++
……………………………………………………………………..
……………………………………………………………………..
……………………………………………………………………..
……………………………………………………………………..
………………………………………………………………+++
writing new private key to ‘mykey.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:FI
State or Province Name (full name) [Some-State]:Finland
Locality Name (eg, city) []:Helsinki
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABCD
on
Organizational Unit Name (eg, section) []:Network
Common Name (eg, YOUR name) []:guest.afrozahmad.com
Email Address []:admin@afrozahmad.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:hello123 –> We should remember this password, it will be used later in final step.
An optional company name []:
OpenSSL>
Step-2 Obtain certificate from CA
1.Login to certificate authority’s web portal , in our case “THWATE”. Provide the myreq.pem file when creating a new certificate.
2.Note: If an optional password was used when creating the request, be sure to provide this password to the CA when submitting.
3.Your CA will notify you when your certificate is ready and provide a method to download.
4.When downloading the certificate , ensure that you obtain the following. Copy certificates in a notepad , in below order and name it as “All-certs.pem”.
1.Device Certificate
2.Intermediate Certificate
3.Root Certificate
Step-3 Chaining the Certificates
When we receive the certificate for another entity, we might need to use a certificate chain to obtain the root CA certificate. The certificate chain, also known as the certification path , is a list of certificates used to authenticate an entity. The chain , or path begins with the certificate of that entity and each certificate in the chain is signed by the entity identified by the next certificate in the chain. The chain terminates with a root CA certificate. The root CA certificate is always signed by CA itself. The signature of all certificates in the chain must be verified until the root CA certificate is reached. Below figure illustrates a certification path from the certificate owner to the root CA, where the chain of trust begins.
1.Open OpenSSL (via command line) and issue the following commands.
1.openssl>pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:admin123 -passout pass:admin123
2.openssl>pkcs12 -in All-certs.p12 -out final-cert.pem -passin pass:admin123 -passout pass:admin123
3.Note:- In the above commands we must enter a password for the parameters -passin and -passout . The password that is configured for the -passout parameter must match the certpassword parameter that is configured on the WLC. Here password if “hello123”
2.If all successful , we will have a file called “final-cert.pem”. Move this file into our TFTP(L00SRV1083) Root directory.
Step-4 Downloading “final-cert.pem” to the WLC
1.Open our TFTP server and verify that “final-cert.pem” is within the Root directory on the server.
2.Login to the WLC via a Web GUI and choose the following path:
1.Web GUI –> Security –> Web Auth –> Certificate :
2.Check the box : ” Download SSL Certificate“
3.When ready click “Apply” in the upper right hand corner of the page.
Using DNS to Validate the Common Name
1.Configure WLC’s virtual interface Hostname as the common name found on the certificate. Reboot required.
1.Example:- wlanguest.admin.com –> 1.1.1.1 or x.x.x.x
2.On the clients DNS server . Configure a DNS A record pointing our FQDN to the virtual interface ip address.
1.Example:- guest.afrozahmad.com –> 1.1.1.1
2.Three options when deploying DNS
3.Client can use an external DNS server (public) . This requires a public A record on “admin.com”
4.Client can use an internal DNS server within the enterprise. Simply create the A record on the internal servers.
5.Deploy a DNS server in the DMZ.
Troubleshooting:-
1. OpenSSL does not Generate All-certs.p12 or final-cert.pem:
1.Verify that All-certs.pem file has the certification in the following order: Device(top), Intermediate (Middle) , Root (Bottom)
2.Verify that mykey.pem file is the same used to originally create the CSR (myreq.pem)
3.If an optional password was set within the CSR, ensure that this password was provided to the CA when requesting for the certificate.
2. Certificate Fails to install to install to the WLC
1.Run the “debug transfer all enable ” command on WLC CLI
2.Verify that the passin/passout password is used when downloading to the WLC
3. Client still receives security warning after successful installtion:
1.Browse to the Web Policy page and double click the SSL icon in your browser to view the certificate. Review the certificate path.
FAQs :-
1.Can i install the same certificate on multiple WLCs ?
1.Yes, the Virtual interface IP address and hostname must be same on all WLCs.
2.If i am using Guest Anchor WLC , where do i need to install the certificate?
1.The 3rd party SSL certificate is only required on the Anchor WLC.
3.My company has a wildcard SSL certificate. Can i use this with the WLC?
1.Yes, however please ensure the that the certificate is a level 2 or lower.
4.My certificates are not in .pem format . Can i convert these ?
1.Yes , we can use OpenSSL to perform the conversion or use following web-based tool:
5.Additional Links:
