Nowadays, when
you purchase a SSL certificate from most well-known providers, your certificate
is usually not signed directly by their root Certificate Authority (CA), but by
an intermediate CA. This intermediate CA certificate, more than often, is not
known by end user computer, hence causing your SSL certificate to be untrusted.
This article provides a step-by-step guide on how
to install a SSL certificate chain on a Cisco wireless LAN controller,
specifically, for web authentication for guest wireless. This article, however,
does not explain the configuration of web authentication or the Certificate
Signing Request (CSR) generation process, and assumes that a signed SSL
certificate has already been obtained.
Check
List:
Before you begin, please make sure
that you have the followings.
1. Signed SSL
certificate
2. Private key and
corresponding password
3. Root CA certificate
provided by the certificate vendor
4. Intermediate CA certificate provided by the certificate
vendor
5. Access to the Cisco wireless LAN
controller
6. Access to OpenSSL
Before:
Here is
what it looks like when only the controller certificate is installed. You can
see that the browser failed to trust the certificate due to the certificate
being signed by an unknown entity.
Steps:
1. Open the signed SSL certificate, root CA certificate and intermediate CA
certificate in a text editor. Each of those files should have the following
format.
-----BEGIN
CERTIFICATE-----
<Base64 Encoded
Text>
-----END
CERTIFICATE-----
2. Open a new text file,
copy and paste the content of the previous three files in the following format,
and save. Here we call it
‘Guest_CombinedCert.cer’
-----BEGIN
CERTIFICATE-----
<SSL
Certificate>
-----END
CERTIFICATE-----
-----BEGIN
CERTIFICATE-----
<Intermediate CA
Certificate>
-----END
CERTIFICATE-----
-----BEGIN
CERTIFICATE-----
<Root CA
Certificate>
-----END CERTIFICATE-----
3. Drop the file into
the OpenSSL working directory. On the OpenSSL, issue the following
commands.
!
openssl pkcs12
-export -in Guest_CombinedCert.cer -inkey GUEST_PRIVKEY.pem -out
Guest_CombinedCert.p12 -clcerts -passin pass:cisco -passout
pass:cisco
!
openssl pkcs12 -in
Guest_CombinedCert.p12 -out Guest_CombinedCert.pem -passin pass:cisco -passout
pass:cisco
!
4. You should now have a final
output file, here is called ‘Guest_CombinedCert.pem’, which contains
both the certificate chain and private
key.
5. To installed the combined
certificate for web authentication, go to Security -> Web
Auth -> Certificate. Check the box ‘Download SSL
Certificate’, fill in the file location information and click Apply. Once
successfully uploaded, you will be prompted to reboot the
controller.
After:
The SSL
certificate should now be trusted and you should be able to see the whole
certificate chain.
Conclusion:
We
have successfully installed the certificate chain on a Cisco wireless LAN
controller. Although our example here is for web authentication, the same
process also applies to the HTTPS web management of the
controller.
Additional
Resources:
Generate
CSR for Third-Party Certificates and Download Unchained
Author: Metha Chiewanichakorn ,
CCIE#23585 (R&S/Security/Service Provider)
