Cisco Cisco Wireless LAN Controller Module 技術マニュアル
live, make sure that you understand the potential impact of any command.
Chained Certificates
A certificate chain is a sequence of certificates, where each certificate in the chain is signed by the
subsequent certificate. The purpose of a certificate chain is to establish a chain of trust from a
peer certificate to a trusted CA certificate. The CA vouches for the identity in the peer certificate
when it signs it. If the CA is one that you trust, which is indicated by the presence of a copy of the
CA certificate in your root certificate directory, this implies you can trust the signed peer certificate
as well.
subsequent certificate. The purpose of a certificate chain is to establish a chain of trust from a
peer certificate to a trusted CA certificate. The CA vouches for the identity in the peer certificate
when it signs it. If the CA is one that you trust, which is indicated by the presence of a copy of the
CA certificate in your root certificate directory, this implies you can trust the signed peer certificate
as well.
Often, the clients do not accept the certificates because they were not created by a known CA.
The client typically states that the validity of the certificate cannot be verified. This is the case
when the certificate is signed by an intermediate CA, which is not known to the client browser. In
such cases, it is necessary to use a chained SSL certificate or certificate group.
The client typically states that the validity of the certificate cannot be verified. This is the case
when the certificate is signed by an intermediate CA, which is not known to the client browser. In
such cases, it is necessary to use a chained SSL certificate or certificate group.
Support for Chained Certificate
In controller versions earlier than Version 5.1.151.0, web authentication certificates can be only
device certificates and should not contain the CA roots chained to the device certificate (no
chained certificates). With controller Version 5.1.151.0 and later, the controller allows for the
device certificate to be downloaded as a chained certificate for web authentication.
device certificates and should not contain the CA roots chained to the device certificate (no
chained certificates). With controller Version 5.1.151.0 and later, the controller allows for the
device certificate to be downloaded as a chained certificate for web authentication.
Certificate Levels
Level 0 - Use of only a server certificate on the WLC
●
Level 1 - Use of a server certificate on the WLC and a CA root certificate
●
Level 2 - Use of a server certificate on the WLC, one single CA intermediate certificate, and a
CA root certificate
CA root certificate
●
Level 3 - Use of a server certificate on the WLC, two CA intermediate certificates, and a CA
root certificate
root certificate
●
The WLC does not support chained certificates more than 10KB in size on the WLC. However, this
restriction has been removed in WLC Version 7.0.230.0 and later.
restriction has been removed in WLC Version 7.0.230.0 and later.
Note: Chained certificates are supported for web authentication only; they are not supported
for the management certificate.
for the management certificate.
Web authentication certificates can be any of these:
Chained
●
Unchained
●
Auto-generated
●
Note: In WLC Version 7.6 and later, only chained certificates are supported in the WLC for
web authentication.
web authentication.
For WLCs with software versions earlier than Version 5.1.151.0, the workaround is to use one of
these options:
these options: