We have a Cisco WLC 9800 that we use for our guest wireless LAN. We have to use a SSL certificate on this wlan so when people connect they can trust the connection. We have used this for years and have never had problems updating the SSL certificate until this year. We reached out to our certificate vendor and provided them with a CSR request. When they sent the certificate back we tried to apply it to the controller and it failed. I thought I might have done something wrong when I created the new Trustpoint. So I removed all of my settings and started again. Sent the CSR to the provider and asked that they send the certificate back with the full certificate chain in a PFX format. Again, I tried to upload the certificate and it failed. I had done some searching to try and figure out what was going on, but the error messages I saw popping up weren’t very helpful and didn’t stay on the screen long enough to get the full text. I was at a loss.
I looked up the process for installing a certificate on the controllers and was pretty sure I was doing everything correctly. I asked our certificate provider to generate the certificate on there own and to send me the PFX back containing the full chain, certificate, and the private key. They did and guess what, the stupid thing failed to import for a 3rd time.
However, this time I was able to get a better view of the error.
I did another search and came across a post that suggested using OpenSSL version 1.1.1 to repackage the PFX file. The suggestion was to extract all the pieces from the PFX that I received and then put them back into PFX with that version of OpenSSL (I had version 3.x on my linux box). That seemed like more work than I wanted. I then found out I could add a “legacy” option to the OpenSSL command. I thought I’ll give it a try.
I extracted the certificate, certificate chain, and key from the PFX that my provider sent me. Then I ran the following command to recreate the PFX file.
openssl pkcs12 -export -legacy -in ourdomain.cer -inkey ourdomain.key -out legacy-ourdomain.pfx
I then attempted to add the certificate to the WLC. This time it worked like I originally expected. Once the certificate was imported and a new Trustpoint was created, I was able to update our WebAuth to use the new Trustpoint.