Cisco 9800 Wireless 2024 – Phase 13 – Part 4 – Proof of Concept – Captive Portal Infrastructure – Public Certificates

By adminCisco 9800 BYOD, Cisco 9800 Wireless, Cisco 9800 Wireless Guest

Using public-facing certificates for BYOD onboarding is important because they ensure:

  • Trust across all devices: Public certificates are trusted by default on most user devices (phones, tablets, laptops), avoiding certificate warnings during onboarding.
  • Seamless user experience: Users can connect without needing to manually install or accept untrusted certificates.
  • Secure HTTPS communication: Public CAs provide validated, encrypted communication for onboarding portals.
  • Avoidance of security errors: Prevents TLS/SSL errors that can disrupt onboarding or lead to users bypassing security prompts.

In short, public certificates simplify BYOD onboarding, enhance trust, and improve security and usability.

The following steps outline how to obtain a public facing cert from ZeroSSL.

ZeroSSL is a certificate authority (CA) that provides free and paid SSL/TLS certificates to secure websites and online services. Founded as an alternative to Let’s Encrypt, ZeroSSL supports both ACME protocol automation and a user-friendly web interface for manual certificate generation. It offers:

  • Free 90-day certificates with renewal options
  • Wildcard and multi-domain certificates (with paid plans)
  • ACME integration for automation with web servers and tools like Certbot
  • Email, DNS, and HTTP validation methods

ZeroSSL is widely used by developers and businesses seeking a flexible, accessible, and affordable SSL solution to secure their web traffic. ACME (Automatic Certificate Management Environment) is a protocol developed by the Internet Security Research Group (ISRG)—the creators of Let’s Encrypt—to automate the process of obtaining, renewing, and managing SSL/TLS certificates.

What ACME Does:

ACME allows servers (like web servers or network devices) to:

  1. Request a certificate
  2. Prove control of a domain
  3. Automatically install and renew certificates

1 Generate the private key

openssl genrsa -aes256 -out dmzwirelessZeroSSL.private-key 2048

2. Create a CSR

openssl req -new -newkey rsa:2048 -nodes -keyout dmzwirelessZeroSSL.private-key -out dmzwirelessZeroSSL.csr -subj "/C=US/ST=State/L=New York/O=NETPROJEKRALAC/OU=WLAN/CN=dmzwireless.netprojekralac.com" -addext "subjectAltName=DNS:dmzwireless.netprojekralac.com"

3. Log into ZeroSSL.com

4. Submit the CSR

5. Log into your hosting provider and add the CNAME record into DNS

6. Once the CNAME is added, return to the ZeroSSL page and download the certificate chain.

7. Open the downloaded folder to view the certificates

Installing the certificates on the Cisco ISE Deployment
  1. Log into the admin node

Install the system certificate

Note: The “Portal group tag” must be tied back to the guest captive portal page

Verify that BYOD & Guest portal has a valid public facing certificate

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.