ssh into the WLC
1. Generate RSA key
crypto key generate rsa general-keys modu 4096 label 9800-WLC-KEY-HTTP exportable
2. Create the PKI trustpoint
crypto pki trustpoint HTTPS-TRUST-POINT
enrollment terminal pem
subject-name C=US, ST=New York, L=New York, O=NETPROJEKRALAC , OU=SECURE HTTPS MANAGEMENT, CN=9800NYC0001.netprojekralac.com
subject-alt-name 9800NYC0001.netprojekralac.com
revocation-check none
rsakeypair 9800-WLC-KEY-HTTP
exit
3. crypto pki authenticate HTTPS-TRUST-POINT
Retrieve the CA in base64 format


Right-click on the .cer file and open it with Notepad++

Copy and paste the certificate content into the terminal
crypto pki authenticate HTTPS-TRUST-POINT

Generate the WLC CSR
(config)#crypto pki enroll HTTPS-TRUST-POINT

Submit the CSR to the certificate authority




Double-click on the certificate to view the details



Upload signed device certificate
crypto pki import HTTPS-TRUST-POINT certificate

View the certificate

Associate the trustpoint with the web interface
9800NYC0001(config)#ip http secure-trustpoint HTTPS-TRUST-POINT
Test the certificate



Note: Generating the CSR on the router does not include the IP address in the SAN. Accessing the device by IP address will generate a certificate error. Use the “off the box” OpenSSL method to resolve this issue.

