Cisco 9800 Certificates “Off the box”

“On box”

Create the CSR

Create a folder with the name of the device

Create the OpenSSL .cnf file

nano 9800NYC0002_CSR_SAN.cnf

Update the following sections in the file to reflect the content below

[ req ]
default_bits            = 4096
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
req_extensions          = req_ext
attributes              = req_attributes
x509_extensions         = v3_ca # The extensions to add to the self signed cert

[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1   =
IP.1    =

Generate the CSR for the device

openssl req -out -newkey rsa:4096 -keyout 9800NYC0002.netprojekralac.com_PRIVATE.key -config 9800NYC0002_CSR_SAN.cnf

Enter the certificate details

Two files will be created

Use OpenSSL to view the contents of the file

openssl req -text -in  -noout -verify

Submit the CSR to the certificate authority. Copy and paste the contents.

View the certificate content

Combine the certificates into a single file .pfx file

Image reference:

Create a new file with the intermediate cert and root cert

Copy the file to the folder with the .cer and .csr files reside.

Note: The .cer file can be converted into .pem format.

openssl x509 -in -outform PEM -out

Merge the private.key, device .pem file, and combined root ca/intermediate ca files to create the .pfx file. The private key password is required.

openssl pkcs12 -export -macalg sha1 -legacy -descert -out -inkey 9800NYC0002.netprojekralac.com_PRIVATE.key -in -certfile ROOT-AND-INT-COMBINED.pem

The .pfx file was created successfully.

View the contents of the .pfx file

Convert pfx to PEM

Note: The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.


 openssl pkcs12 -in -out

Import the certificate to the WLC

Verify that the cert was uploaded successfully

Verify the trustpoint

Assign the certificate to the GUI

ip http secure-trustpoint

Accessing the device by hostname or IP address is now secure

IP address

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.