Wired Stuff
WiFi Tablet Corner
My80211 White Papers (Coming Soon!)

Cisco Wireless Compatibility Matrix (Nov. 2011)

Podcasts / Videos

My80211 Videos

Cisco: 802 11 frames with Cisco VIP George Stefanick

Fluke Networks: Minimize Wi Fi Network Downtime

Aruba: Packets never lie: An in-depth overview of 802.11 frames

ATM15 Ten Talk “Wifi drivers and devices”

Houston Methodist Innovates with Wireless Technology

Bruce Frederick Antennas (1/2)


Bruce Frederick dB,dBi,dBd (2/2)

Cisco AP Group Nugget

Social Links
Revolution WiFi Capacity Planner

Anchor / Office Extends Ports


Peek Inside Cisco's Gear

See inside Cisco's latest wireless gear!

2.4 GHz Channel Overlap




  • CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    by David D. Coleman, David A. Westcott, Bryan E. Harkins, Shawn M. Jackman

    Shawn Jackman (Jack) CWNE#54 is a personal friend and has been a mentor to me for many years.  I've had the pleasure and opportunity to work with Jack for 4 years. Jack is a great teacher who takes complex 802.11 standards and breaks them down so almost anyone can understand the concept at hand. I'm excited for you brother. Great job and job well done! Put another notch in the belt!

IEEE 802.11a/g/n Reference Sheet


LWAPP QoS Packet Tagging



Interference Types


Microwave Oven

Cordless Phone


« Cisco Releases iPhone APP v1.0 for CSC (Cisco Support Community) | Main | Firefox and WLC Certificate Issues »

WLC:Generate Third Party Web Authentication Certificate for a WLC

It’s that time of year and our Cisco WLC Web Authentication Certificate is close to expiration. Certificates are not my strong point and its not often I have to deal with them outside of ACS and the controllers. So I wanted to document these steps for my benefit for next go around.

This is a step by step “how to” creating a CSR (Certificate Signing Request) with OPENSSL, processing a third-party certificate that is CHAINED and download it to the Cisco WLC.

Dependency Homework

Its always important to check your dependencies and NEVER assume.

1) WLC versions earlier than, web authentication certificates can be only device certificates and DO NOT support chained certificates, ONLY ROOT SIGNED certificates

2) WLC versions and later support chained certificates (up to a level of 2)

3)   ** Certificate Levels **

Level 0 – Use of only a server certificate on WLC
Level 1 – Use of server certificate on WLC and a CA root certificate
Level 2 – Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.
Level 3 -  Use of server certificate on WLC, two CA intermediate certificate, and a CA root certificate. 

4) Entrust does not support root signed certificates (unchained) as of 12/31/2010. Since my anchors are on 4.2.x, looks like I will be upgrading my controller code.

5) When anchoring, the remote and anchor controllers connect using EoIP tunnels. Below is a quick look at supported code levels . Although, Cisco will tell you its best practice to have your Anchors and Remote WLCs on the same version of code.


Why a signed certificate on the Cisco Anchor WLC?

The Anchor WLC is configured with HTTPS. When a guest user connects to the wireless guest network they will be presented with a WLC self signed certificate or an expired certificate. As such, this will cause the “please accept” this certificate screen.

By installed a signed CA certificate, you negate this screen and users move directly to the accept screen. Its really a inconvenience to the end user.


If this is your first time using OPENSSL, it could be a little intimidating, but it isn’t really as bad as you think. Everything is scripted.

Before starting, you will need to download and unzip OPENSSL. You will notice a number of versions. I used windows version ,0.9.8.a to create my CSR.  I unzipped OPENSSL in a folder off my C: drive


Generate a CSR

A CSR stands for certificate signing request. This is the first step in the certificate process.

After you have OPENSSL installed you want to launch openssl.exe. You then enter the following script.

1)   C:\openssl\bin>openssl.exe

OpenSSL> req –new –newkey rsa:2048 –nodes –keyout mykey.pem –out myreq.pem
Note: The WLC supports a maximum key size of 2048

2)   You will be presented with a number of questions. Your company name, state, country, common name etc. Its important to enter this information correctly. This data gets checked against the CA information on file. It is also important the CN (common name) matches the DNS A record for your virtual IP.


You will also be prompted to enter an optional password. This is important, as it adds an extra layer of security and prevents someone compiling the certificate without the password.

OpenSSL>req −new −newkey rsa:2048 −nodes −keyout mykey.pem −out myreq.pem

Loading 'screen' into random state − done Generating a 2048 bit RSA private key ................................................................++++++ ...................................................++++++

writing new private key to 'mykey.pem'
You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank

For some fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some−State]:TX
Locality Name (eg, city) []:Houston
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mycompany
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []
Email Address []

Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:TESTEST
An optional company name []:


 3)   Once you are complete. You will find 2 files in the bin folder.

  1. mykey.pem
  2. myreq.pem

The mykey.pem is your portion of the CSR which will be used later. Keep this in a safe place.

The myreq.pem is your CSR ,which is sent to your CA. If you change the file type from .pem to .txt you will see something similar to this:


4) The CA will reply with a digitally signed certificate chain. You will receive three certificates.

  1. Root Certificate
  2. Intermediate Certificate
  3. Device Certificate

5)   The next step, you will want to take the 3 certificates and change the extension to .txt.


Once the extensions are converted to .txt. Open notepad and cut and paste the certificates in this order:

*Device cert*
*Intermediate CA cert *
−−−−−−END CERTIFICATE−−−−−−−−
*Root CA cert *


 It is important you put the certs in the correct order -- device, intermediate, root.

  1. Device Certificate
  2. Intermediate Certificate
  3. Root Certificate

 Specific to Entrust … your cert order would be the following:

  1. Device Certificate ------------------ L1Croot
  2. Intermediate Certificate-----------L1Cchainroot
  3. Root Certificate----------------------Entrust


 6)   Save the file as All-certs.pem

 7)   In this step you will combine your mykey.pem and the All-certs.pem. Open up OPENSLL again. Enter the following:


OpenSSL> pkcs12 -export -in All-certs.pem -inkey mykey.pem -out All-certs.p12 -clcerts -passin pass:TESTTEST -passout pass:TESTTEST

Loading 'screen' into random state - done

OpenSSL> pkcs12 -in All-certs.p12 -out final-cert.pem -passin pass:TESTTEST -passout pass:TESTTEST

MAC verified OK



8)   When you are done you will have 1 file, called final-cert.pem. This is the certificate you will download to your Anchor WLC.

9) Enter your WLC Security ->Web Auth -> Certificate

Check, check box “Download SSL Certifciate” and enter your TFTP information and your certificate password.


PrintView Printer Friendly Version

EmailEmail Article to Friend

References (1)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: No al descuelgue - HOME - WLC:Generate Third Party Web Authentication Certificate for a WLC

Reader Comments (12)

Thank you for posting this process. I was unsure of OPENSSL, but it looks pretty easy.

January 17, 2011 | Unregistered CommenterRoman

Thanks a lot for discussing this matter. I concur with your conclusions.The point that the data stated are all first hand on actual experiences even help more.

January 19, 2011 | Unregistered CommenterSAT Study Guide

on the controller you selected file name as final.pem. It should be final-cert.pem as this is the file name that we put in last command.

How can we check the common name in the root cert or how it gets highlighted.

Any idea, if wildcard is also supported on cisco controllers?

March 9, 2011 | Unregistered CommenterYuvi

I got the cert loaded but here is my issue:

- Since how do I get the to resolve to
- The way it is setup clients do not have access to the internal DNS only external DNS i.e; OpenDNS servers
- I tried changing the Virtual interfaces IP address but when I do that none of the clients can grab an IP address since I am using the WLC as the DHCP server with DHCP proxy enabled Virtual interfaces IP needs to stay as

Any help would be appreciated thank you.

May 9, 2011 | Unregistered CommenterAli

Thanks a bunch! Really helpful and easy to follow!

May 25, 2011 | Unregistered CommenterAnonymous

I didn't get 3 files back from my CA only a x509 .cer or a .p7b file. If I open the .cer, it shows the full certificate path, yet on my WLC it does not?

September 19, 2011 | Unregistered CommenterHoagie

Do you know, or can you help me understand-what is the relationship of the cert installed on the WLC compared to a radius server? For example, we are using IAS on W2K3 server. I installed a 3rd party cert on the wlc as well as on IAS. When connecting to the wlan from a Windows 7 or Mac client, I get a certificate error (can't connect at all from XP). I changed the IAS cert to a local CA and left the WLC as a 3rd party cert, and the error message on the client remains, but now lists the IAS server cert as untrusted. I think I have spent too much time looking and over-engineering this, and have confused myself. TIA.

December 5, 2011 | Unregistered CommenterMe

Yup no worries. The cert loaded on the WLC is your web browser certificate. The cert loaded on the radius server is used for 802.1X authenticatin for example with PEAP. if you add the local cert to your cert store you will not get prompted to trust the cert.

December 6, 2011 | Registered CommenterGeorge

Hi George, wondered if you've done a guest solution with foregin, anchor and NAC Guest Server hosting the web-login page? I think that I need certs on all devices but I'm not 100% sure.

February 28, 2012 | Unregistered CommenterRob S

This is an excellent description, which carried me through the whole run from creating a CSR to installing the final certificate. Appreciated.

October 8, 2012 | Unregistered CommenterOle C.

Ole, thanks for stopping by .....

October 12, 2012 | Registered CommenterGeorge

I just read through the entire article of yours and it was quite good. This is a great article thanks for sharing this information. I will visit your blog regularly for some latest post.

December 17, 2012 | Unregistered Commenterkate

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>