cisco hands-on experience

Generate a CSR for WLC webauthentication

Generate a CSR for WLC webauthentication

Last week i was instructed to prepare our Wireless LAN Controller to work with
the webauth 3rd party unchained certificate for external visitors.
We want to provide a certain security feeling for the customers, if they combine with us about wlan access.

Background Information

By default, WLCs use a built-in self-signed SSL certificate. The WLCs use this SSL certificate in one of these situations:

  • When the clients try to connect to the WLAN network with use of SSL-based web authentication
  • When a user tries to log in to the WLC with use of Secure HTTP (HTTPS) (WebAdmin authentication)

You are prompted to accept the certificate from the WLC, because the clients do not have a trusted root certificate for the certificate that is installed on the WLC.
The SSL certificate on the WLC is not in the list of certificates that the client system trusts.
There are two ways to stop the generation of this web-browser security alert popup window.

  1. Use the self-signed SSL certificate on the WLC and configure the client stations to accept the certificate. Include the self-signed certificate on the WLC in the list of certificates that are trusted on the client station.
  2. Generate a CSR and install a certificate that is signed by a source (a third-party CA) for which the clients already have the trusted root certificates installed,
    such as VeriSign.


In our case the 2nd one.
Certification Level

  • Level 0—Use of only a server certificate on WLC.
  • Level 1—Use of server certificate on WLC and a CA root certificate.
  • Level 2—Use of server certificate on WLC, one single CA intermediate certificate, and a CA root certificate.
  • Level 3—Use of server certificate on WLC, two CA intermediate certificates, and a CA root certificate.


A certificate is an electronic document that you use in order to identify a server, a company, or some other entity and to associate that identity with a public key.

CAs are entities that validate identities and issue certificates. The certificate that the CA issues binds a particular public key to the name of the entity that the certificate identifies (such as the name of a server or device). Only the public key that the certificate certifies works with the corresponding private key that is possessed by the entity that the certificate identifies. Certificates help prevent the use of fake public keys for impersonation.

A CSR is a message that an applicant sends to a CA in order to apply for a digital identity certificate. For the most part, a third-party CA company, like Entrust or VeriSign, requires a CSR before the company can create a digital certificate.

CSR generation is independent of the device on which you plan to install an external certificate. So a CSR and private key file can be generated on any individual Windows or UNIX machine. CSR generation is not switch-dependent or appliance-dependent in this case.

Because the WLC does not generate a CSR, you must use a third-party application such as OpenSSL in order to generate a CSR for the WLC.

You can find a tutorial here, but it doesn’t work.
Link to cisco explanation

Now, i explain the steps that must be done to get a proper function and to be downloadable for the wireless lan controller.

1. Download openssl (for example for win7) from download the setup.exe

2. run setup.exe and follow the instructions.
Look at the following figure – choose only the appropriate packages.

3. Go further and finisch the installation process.
After that open the cygwin terminal

Open your Cygwin Terminal and generate the private key

we use rsa encryption 2048

Cygwin Terminal
$ openssl req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem
Generating a 2048 bit RSA private key
writing new private key to ‘mykey.pem’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:EN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) [ ]:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xyz123
Organizational Unit Name (eg, section) [ ]:
Common Name (e.g. server FQDN or YOUR name) [ ]
Email Address [ ]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password [ ]:
An optional company name [ ]:


Be sure that the domain is registered by your company
The virtual interface on the WLC must fit with the settings above.
You need only the red highlighted informations

$ pwd
you see the path where the files are saved.

With this command you generate to files.’mykey.pem’ and ‘myreq.pem’.
This two files were needed to get a valid CSR from your provider.
The returned CSR file looks like this: ‘servpass-440829-x509chain.pem’

And now you have to merge the CSR ‘servpass-440829-x509chain.pem’ and the generated public key in the right format.

You have to encrypted the private key in Triple DES

Go to your cygwin terminal and type:
$ openssl rsa -in servpass-440829-x509chain.pem -des3 -out keyout.pem

After that your were prompted for a passphrase.
Type for example test123 and repeat the passphrase.
This were needed for the WLC command line, later.

Take for example notepad++ and edit the ‘servpass-440829-x509chain.pem’ and ‘keyout.pem’

Like this:

Device cert
Intermediate cert
Root Cert

Proc-Type: 4,ENCRYPTED

Save the file as ‘final-cert.pem’ for example.

Prepare the WLC for downloading the final-cert.pem file.

WLC command line
(Cisco Controller) >transfer download mode tftp

(Cisco Controller) >transfer download datatype webauthcert

(Cisco Controller) >transfer download serverip

(Cisco Controller) >transfer download path /

(Cisco Controller) >transfer download filename final-cert.pem

(Cisco Controller) >transfer download certpassword test123

Final download to the WLC
(Cisco Controller) >transfer download start

Mode……………………………………… TFTP
Data Type…………………………………. Site Cert
TFTP Server IP……………………………..
TFTP Packet Timeout………………………… 6
TFTP Max Retries…………………………… 10
TFTP Path…………………………………. /
TFTP Filename……………………………… final-cert.pem

This may take some time.
Are you sure you want to start? (y/N) y

TFTP Webauth cert transfer starting.

TFTP receive complete… Installing Certificate.

Certificate installed.

                  Reboot the switch to use new certificate.

  1. Diana Reply

    A powerful share, I just given this onto a colgualee who was doing a bit analysis on this. And he the truth is bought me breakfast as a result of I discovered it for him.. smile. So let me reword that: Thnx for the treat! However yeah Thnkx for spending the time to discuss this, I feel strongly about it and love studying extra on this topic. If doable, as you develop into experience, would you mind updating your weblog with more details? It is extremely helpful for me. Massive thumb up for this blog put up!

    • Jacob Reply

      Thx! It’s a question of time.
      I will update this topic as soon as possible with a deeper insight.

Leave a Reply


captcha *