Problem
Resolution
1. Generate RSA key
crypto key generate rsa general-keys modu 4096 label 9800-WLC-KEY-HTTP exportable
2. Create the PKI trustpoint
crypto pki trustpoint HTTPS-TRUST-POINT
enrollment terminal pem
subject-name C=US, ST=New York, L=New York, O=NETPROJEKRALAC , OU=SECURE HTTPS MANAGEMENT, CN=westdc9800-1.netprojekralac.com
subject-alt-name westdc9800-1.netprojekralac.com
revocation-check none
rsakeypair 9800-WLC-KEY-HTTP
exit
3. crypto pki authenticate HTTPS-TRUST-POINT
Retrieve the CA in base64 format
Right click on the .cer file and open with a text editor
Generate the WLC CSR
(config)#crypto pki enroll HTTPS-TRUST-POINT
Submit the CSR to the certificate authority
Verify that the signed certificate is correct
Upload signed device certificate
Enter configuration commands, one per line. End with CNTL/Z.
westdc9800-1(config)#crypto pki import HTTPS-TRUST-POINT certificate
Enter the base 64 encoded certificate.
End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
MIIHCzCCBfOgAwIBAgITewAAADzCx0Ge5JGCjQAAAAAAPDANBgkqhkiG9w0BAQsF
ADBgMRMwEQYKCZImiZPyLGQBGRYDY29tMR4wHAYKCZImiZPyLGQBGRYObmV0cHJv
amVrcmFsYWMxKTAnBgNVBAMTIG5ldHByb2pla3JhbGFjLUVLUkFMQUMtU1JWLTAy
LUNBMB4XDTI0MDcxOTE0MDYxNVoXDTI2MDcxOTE0MDYxNVowgZgxCzAJBgNVBAYT
AlVTMREwDwYDVQQIEwhOZXcgWW9yazERMA8GA1UEBxMITmV3IFlvcmsxFzAVBgNV
BAoTDk5FVFBST0pFS1JBTEFDMSAwHgYDVQQLExdTRUNVUkUgSFRUUFMgTUFOQUdF
TUVOVDEoMCYGA1UEAxMfd2VzdGRjOTgwMC0xLm5ldHByb2pla3JhbGFjLmNvbTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALY9NmAGb+hZ18L3QZ+v8Mko
FGOz6tocVSHuyUnVP9bEIOmnAvFY5BNaNkeL6rvmcSoeEJUq+W+SCMRddJblUwsS
xA0808k+gFFzwx6dvna382NrKiXLv3GmTEL7mGzYRAVqMRhA/aleLH984INWoTB1
kxQ6EiC/SC7oHu1DixWyDWutRkeDxd3qKEdg/iio7Af6fjaRMTjktXgltn6pA2ob
JtXWE1a8Yfq8xBxby1YQmrOhJOFZmvvh5u+0O+mZK0A1pRMO3hxGPdcN8vmlAxmu
dCf4wdejjXyR2jgUqvyCB+2KvwAVHzjH6nS9J1T0X/brdhoa1NZhATcV6ZbawfTc
q0/lpb4T50iXwlf9h04JerGWbkAyhbHTfFb73/kGCV3ETSKRwbe8MoKDYunCevGM
C2ob/VOrjfJ7LXj8Je3dYbirecJGIUo78AbMDg035DDb/+OnDmH1R9Jfg4xJ5ExV
Sfne6Ok7pw7Yw9/jWaEj8M5/6J/nFVC2CuF/m66dlTweCuQfLyF+FafsDI+PArPO
jBnDAwIoR/yCHCiel/ZdnVoCcJvHOPwvGEnzGZDJizwjtqlSh+98eYQPIHI4Ghrs
n28VhFSXk8Q6PCSqSare3hDzLCoeTetrCrI/NbVbW5um2rVAhy8JyutPSkaXATY7
EzswQ2ZCyraibYEdjx3lAgMBAAGjggKDMIICfzAOBgNVHQ8BAf8EBAMCBaAwKgYD
VR0RBCMwIYIfd2VzdGRjOTgwMC0xLm5ldHByb2pla3JhbGFjLmNvbTAdBgNVHQ4E
FgQUEuRWGOOFe/KNoZallDdC/E8JHQAwHwYDVR0jBBgwFoAUtAcuctZD0sWct6tt
E5UaUPXZR0QwgewGA1UdHwSB5DCB4TCB3qCB26CB2IaB1WxkYXA6Ly8vQ049bmV0
cHJvamVrcmFsYWMtRUtSQUxBQy1TUlYtMDItQ0EsQ049RUtSQUxBQy1TUlYtMDIs
Q049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENO
PUNvbmZpZ3VyYXRpb24sREM9bmV0cHJvamVrcmFsYWMsREM9Y29tP2NlcnRpZmlj
YXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRp
b25Qb2ludDCB2QYIKwYBBQUHAQEEgcwwgckwgcYGCCsGAQUFBzAChoG5bGRhcDov
Ly9DTj1uZXRwcm9qZWtyYWxhYy1FS1JBTEFDLVNSVi0wMi1DQSxDTj1BSUEsQ049
UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJh
dGlvbixEQz1uZXRwcm9qZWtyYWxhYyxEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNl
P29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwIQYJKwYBBAGCNxQC
BBQeEgBXAGUAYgBTAGUAcgB2AGUAcjATBgNVHSUEDDAKBggrBgEFBQcDATANBgkq
hkiG9w0BAQsFAAOCAQEAJgshqa7cLNPhhlkqS4/QlJgEneh36DaA51byZPE24Pqm
zdrGoN56Xy0UkcqLGecvUDqNlJjDbunyM4Z1kAeVllAu3xPQzsK9Fj0z8X6iKkH/
oeSeYU1MTH/V9AdRYG24N9by3+2QANwRbYj6BSil81ZEqsxwuK8sTq+esUAObuH4
flRO/wQvjsVHpDJTB7WpNL5W1UTcNQH0hEnqhB7ykd9zzNiezEXM5cJaAB1c3D2e
ND3E+3sL8ReKIsTTtqnuNzw6XLXmt+jVJFCglxR4m8oG1RlpLl/3h/q1V1LXA6s7
MMsmV+fnYZLI0ClCsc9LuQylLFg+YWD3gJCDeZS0zQ==
-----END CERTIFICATE-----
quit
% Router Certificate successfully imported
View the certificate contents
westdc9800-1#show crypto pki certificates HTTPS-TRUST-POINT
Certificate
Status: Available
Certificate Serial Number (hex): 7B0000003CC2C7419EE491828D00000000003C
Certificate Usage: General Purpose
Issuer:
cn=netprojekralac-EKRALAC-SRV-02-CA
dc=netprojekralac
dc=com
Subject:
Name: westdc9800-1.netprojekralac.com
cn=westdc9800-1.netprojekralac.com
ou=SECURE HTTPS MANAGEMENT
o=NETPROJEKRALAC
l=New York
st=New York
c=US
CRL Distribution Points:
ldap:///CN=netprojekralac-EKRALAC-SRV-02-CA,CN=EKRALAC-SRV-02,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=netprojekralac,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 10:06:15 est Jul 19 2024
end date: 10:06:15 est Jul 19 2026
Associated Trustpoints: HTTPS-TRUST-POINT
CA Certificate
Status: Available
Certificate Serial Number (hex): 4EC137B3726BD7A9408F6B945B00CE91
Certificate Usage: Signature
Issuer:
cn=netprojekralac-EKRALAC-SRV-02-CA
dc=netprojekralac
dc=com
Subject:
cn=netprojekralac-EKRALAC-SRV-02-CA
dc=netprojekralac
dc=com
Validity Date:
start date: 09:02:40 est Sep 15 2022
end date: 08:12:39 est Sep 15 2052
Associated Trustpoints: HTTPS-TRUST-POINT
Associate the trustpoint with the web interface
ip http secure-trustpoint HTTPS-TRUST-POINT
Note: The certificate will be shared between the primary and secondary WLC.
Verify that the certificate is valid on the failover device by shutting down WLC1.
westdc9800-1-stby – 10.0.0.46 > took over as primary. The device’s new hostname is westdc9800-1, and its IP address, the wireless management interface, has been changed to 10.0.0.48.
Verify the certificate
Redundancy is working, and the HTTPS certificate is shared between the two devices.