Cisco WLC (Wireless LAN Controllers) require the entire SSL cert chain to be installed on the appliance. I like to do this via IIS since it is very quick and efficient and all my intermediate and root certs are already on there typically (double check your servers please).
1. Create a temporary site in IIS and generate a CSR. Make sure the domain matches whatever appliance you are trying to generate it for exmp: wireless.yourcompany.com.
If you are exporting a wildcard cert that might already be on your IIS server, just export it as a PFX and skip to step 5.
2. Send the CSR to your registrar and wait for them to validate.
3. Get the .crt and convert it to .cer (just open the .crt and save it as .cer). Do the same for the intermediate and root certs you received.
4. Install the .cert in IIS as well as all intermediate and root certs they send you.
5. “View” the cert in IIS (Site properties > Directory Security > View Certificate > Details Tab > Copy to File) and export it with the private key in pkcs12 (.pfx) format. Also make sure to check “Include all certificates in the certification path is possible”. Just set the password as “password” so it’s easy to remember.
6. Now you have a .pfx with your whole SSL cert chain but you need to convert it to .pem for the WLC.
7. Use this command with OpenSSL:
openssl pkcs12 -in yourcert.pfx -out yourcert.pem
8. Type the “password” when prompted
9. TFTP the new .pem containing the whole SSL cert chain and private key over to the WLC and reboot. You will have to specify the “password” when you type in your TFTP info and Save and Reboot the WLC after the download is successful. Test it out and it should work.
Bjørn P. K.
January 25, 2011 at 6:34 AM
Excellent guide, worked like a charm!
March 5, 2012 at 8:33 AM
Thanks for the info is nice short summary – shows that this process is not complicated at all…
June 13, 2014 at 7:32 AM