Search This Blog

Wednesday, 2 March 2011

Creating and Installing Device Certs using Windows CA

Use this method to stop the annoying security alert when logging into HTTPS to manage the WLC's.

Install openssl0_9_8 on a Windows 2000/XP PC
Navigate to C:\OpenSSL\bin

Need to create the Cert request on behalf of the WLC. This creates the private "mykey.pem" and request "myreq.pem". Fill in information and put the WLC hostname as the CN. Remember the password!

OpenSSL> req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

Open myreq.pem in wordpad and copy

Goto https://ca_servert/certcrv and login as administrator

Request a Certificate

Advanced Request

Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Paste the request and select Template Web Server

Download cert in Base 64 Format, save to open SSL folder as certnew.cer

Run the next command to merge the cert with the private key file

OpenSSL> pkcs12 -export -in certnew.cer -inkey mykey.pem -out finalcert.p12 -clcerts -passin pass:cisco -passout pass:cisco

You then need to convert thr p12 file into a pem file for the controller

OpenSSL> pkcs12 -in finalcert.p12 -out final.pem -passin pass:cisco -passout pass:cisco

The cert is now created, need to upload it to the controller type webadmincert and dont forget to add a DNS entry for the hostname!

The same process can also be used for adding device certs for Local EAP. You will also require the CA Cert to be installed on the controller.

Request the CA cert and download in DER format. Then convert to PEM

OpenSSL> x509 -in rootca.cer -inform DER -out rootca.pem -outform PEM

No comments:

Post a Comment