Root certificate incompatible with Cisco WLC


#1

Hello,

I generated my signed certificate from Let’s Encrypt with the following site: https://gethttpsforfree.com/

I took the CSR of the WebAuth certificate from the WLC controller to be able to generate the signed certificate. Then, I add the root certificate which can be found on the site: https://letsencrypt.org/certs/isrgrootx1.pem.txt
after the intermediate certificate. I have my final certificate that contains:

  • signed certificate
  • intermediate certificate
  • Root certificate

Impossible to put it on the cisco WLS controller. by looking more closely at the Root certificate provided by Let’s Encrypt to an issuer and a different subject from the intermediate certificate.

The intermediate certificate:

ISSUER: CN = DST Root CA X3,O = Digital Signature Trust Co

SUBJECT: CN= Let’s Encrypt Authority X3,0 = Let’s Encrypt, C = US

The Root certificate provided by Let’s Encrypt:

ISSUER: CN = ISRG Root X1,0 = Internet Security Research Group, C = US

SUBJECT: CN = ISRG Root X1.0 = Internet Security Research Group, C = US

How can I find the right Root certificate ( CN = DST Root CA X3,O = Digital Signature Trust Co) so I can push it on the controller?

Thanks and regards.

Sébastien.


#2

Hi @sebasti1,

Impossible why? any error?. Letsencrypt Intermediate certificates are cross signed so DST Root CA X3 or ISRG Root X1 root certificates should complete the chain. Are you sure you need to include the root certificate?. Also, LE certificates are valid from 90 days so you should repeat the same process every 60-90 days… just in case you didn’t know that :wink:

Download TrusID X3 from this site https://www.identrust.com/support/downloads

It is in p7b format, if you want to download it and convert to pem format from command line:

wget -O trustidrootx3_chain.p7b https://www.identrust.com/node/935
openssl pkcs7 -inform der -in trustidrootx3_chain.p7b -out trustidrootx3_chain.pem -print_certs

Cheers,
sahsanu


#3

Hello,

yes I am sure I will have to include the Root certificate to be able to put it on the controller.

I am this cisco turoriel: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109597-csr-chained-certificates-wlc-00.html
to push the certificate into the WLC controller, but nothing works.

I downloaded TrustID X3 which is fine: CN = DST Root CA X3, O = Digital Signature Trust Co. I add it after my intermediate certificate.
But I don’t understand, the WLS controller returning “certificate is not yet valid”. If you have any idea, I’m a taker?

Thanks and regards,
Sébastien.


#4

@sebasti1, sorry but I’ve no idea why your WLS controller returns “certificate is not yet valid”, I’ve never used it. Maybe another colleagues have some experience on Cisco products and could help you or maybe you could post this question on Cisco forums, you should get more help there.

Good luck,
sahsanu


#5

“certificate is not yet valid”? Is that exactly what it says, word for word? It sounds like it’s rejecting the certificate because it thinks the certificate is a time traveler from the future.

(Certificates have both an expiration date and a date when they start to be valid.)

Let’s Encrypt certificates are valid starting 1 hour before they were issued. Can you check if the thing’s clock is correct? Does it think it’s yesterday? Or the year 2000 or something?


#6

Thank you very much! my certificate was good but my controller was not at the right date…

Thanks and regards.

Sébastien.


#8

I managed to put the Let’s Encrypt certificate on the WLC controller. The hot spotin my hotel is now secure. But I still have a problem with Google Chrome that doesn’t send me directly to the hotel’s hotspot page. Whereas when I open Firefox or Internet Explorer they send me directly to the hotspot page of the Hotel.

Would you have a solution for Chrome to redirect me directly to the Hotel’s Hotspot page?

Thanks and Regards.


#9

@sebasti1, maybe you could try running Wireshark on your device in order to compare what the various browsers are doing on your network, or to compare what your network is doing with what other networks are doing.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.