Cisco 9800 Certificates “On the box”.

“Off box”

ssh into the WLC
1. Generate RSA key

crypto key generate rsa general-keys modu 4096 label 9800-WLC-KEY-HTTP exportable

2. Create the PKI trustpoint

crypto pki trustpoint HTTPS-TRUST-POINT
 enrollment terminal pem
 subject-name C=US, ST=New York, L=New York, O=NETPROJEKRALAC , OU=SECURE HTTPS MANAGEMENT, CN=9800NYC0001.netprojekralac.com
 subject-alt-name 9800NYC0001.netprojekralac.com
 revocation-check none
 rsakeypair 9800-WLC-KEY-HTTP
exit

3. crypto pki authenticate HTTPS-TRUST-POINT

Retrieve the CA in base64 format

Right-click on the .cer file and open it with Notepad++

Copy and paste the certificate content into the terminal

crypto pki authenticate HTTPS-TRUST-POINT

Generate the WLC CSR

(config)#crypto pki enroll HTTPS-TRUST-POINT

Submit the CSR to the certificate authority

Double-click on the certificate to view the details

Upload signed device certificate

crypto pki import HTTPS-TRUST-POINT certificate

View the certificate

Associate the trustpoint with the web interface

9800NYC0001(config)#ip http secure-trustpoint HTTPS-TRUST-POINT

Test the certificate

Note: Generating the CSR on the router does not include the IP address in the SAN. Accessing the device by IP address will generate a certificate error. Use the “off the box” OpenSSL method to resolve this issue.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.