ssh into the WLC
1. Generate RSA key
crypto key generate rsa general-keys modu 4096 label 9800-WLC-KEY-HTTP exportable
2. Create the PKI trustpoint
crypto pki trustpoint HTTPS-TRUST-POINT
enrollment terminal pem
subject-name C=US, ST=New York, L=New York, O=NETPROJEKRALAC , OU=SECURE HTTPS MANAGEMENT, CN=9800NYC0001.netprojekralac.com
subject-alt-name 9800NYC0001.netprojekralac.com
revocation-check none
rsakeypair 9800-WLC-KEY-HTTP
exit
3. crypto pki authenticate HTTPS-TRUST-POINT
Retrieve the CA in base64 format
Right-click on the .cer file and open it with Notepad++
Copy and paste the certificate content into the terminal
crypto pki authenticate HTTPS-TRUST-POINT
Generate the WLC CSR
(config)#crypto pki enroll HTTPS-TRUST-POINT
Submit the CSR to the certificate authority
Double-click on the certificate to view the details
Upload signed device certificate
crypto pki import HTTPS-TRUST-POINT certificate
View the certificate
Associate the trustpoint with the web interface
9800NYC0001(config)#ip http secure-trustpoint HTTPS-TRUST-POINT
Test the certificate
Note: Generating the CSR on the router does not include the IP address in the SAN. Accessing the device by IP address will generate a certificate error. Use the “off the box” OpenSSL method to resolve this issue.