Create the CSR
Create a folder with the name of the device
Create the OpenSSL .cnf file
nano 9800NYC0002_CSR_SAN.cnf
Update the following sections in the file to reflect the content below
[ req ]
default_bits = 4096
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
req_extensions = req_ext
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = 9800NYC0002.netprojekralac.com
IP.1 = 10.0.0.48
Generate the CSR for the device
openssl req -out 9800NYC0002.netprojekralac.com.csr -newkey rsa:4096 -keyout 9800NYC0002.netprojekralac.com_PRIVATE.key -config 9800NYC0002_CSR_SAN.cnf
Enter the certificate details
Two files will be created
Use OpenSSL to view the contents of the file
openssl req -text -in 9800NYC0002.netprojekralac.com.csr -noout -verify
Submit the CSR to the certificate authority. Copy and paste the contents.
View the certificate content
Combine the certificates into a single file .pfx file
Image reference: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html
Create a new file with the intermediate cert and root cert
Copy the file to the folder with the .cer and .csr files reside.
Note: The .cer file can be converted into .pem format.
openssl x509 -in 9800NYC0002.netprojekralac.com.cer -outform PEM -out 9800NYC0002.netprojekralac.com.pem
Merge the private.key, device .pem file, and combined root ca/intermediate ca files to create the .pfx file. The private key password is required.
openssl pkcs12 -export -macalg sha1 -legacy -descert -out 9800NYC0002.netprojekralac.com.pfx -inkey 9800NYC0002.netprojekralac.com_PRIVATE.key -in 9800NYC0002.netprojekralac.com.pem -certfile ROOT-AND-INT-COMBINED.pem
The .pfx file was created successfully.
View the contents of the .pfx file
Convert pfx to PEM
Note: The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.
Reference: https://knowledge.digicert.com/solution/how-to-convert-a-certificate-into-the-appropriate-format
openssl pkcs12 -in 9800NYC0002.netprojekralac.com.pfx -out 9800NYC0002.netprojekralac.com-chained.pem
Import the certificate to the WLC
Verify that the cert was uploaded successfully
Verify the trustpoint
Assign the certificate to the GUI
ip http secure-trustpoint 9800NYC0002.netprojekralac.com.pfx
Accessing the device by hostname or IP address is now secure
IP address