Cisco Cisco Wireless LAN Controller Module 技術マニュアル
Acquire an unchained certificate from the CA, which means that the signing root is trusted.
●
Have all valid intermediate CA root certificates (trusted or untrusted) installed on the client.
●
For information on how to use unchained certificates on the WLC, refer to
.
This document discusses how to properly install a chained Secure Socket Layer (SSL) certificate
to a WLC.
to a WLC.
Step 1. Generate a CSR
There are two ways to generate a CSR. Either manually with OpenSSL (the only way possible in
pre-8.3 WLC software) or using the WLC itself to generate the CSR (Available after 8.3.102).
pre-8.3 WLC software) or using the WLC itself to generate the CSR (Available after 8.3.102).
Option A. CSR with OpenSSL
Complete these steps in order to generate a CSR with OpenSSL:
In Microsoft Windows, by default, openssl.exe is located at C:\ > openssl > bin.
Note: OpenSSL Version 0.9.8 is the recommended version; however, as of Version 7.5,
support for OpenSSL Version 1.0 was also added (refer to Cisco bug ID
support for OpenSSL Version 1.0 was also added (refer to Cisco bug ID
Support for certificates generated using OpenSSL v1.0).
1.
Issue this command in order to generate a new CSR:
OpenSSL>req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
Note: WLCs support a maximum key size of 2,048 bits.
2.
Sometimes when you try to generate a new CSR, you might receive the error Unable to
load config info from /usr/local/ssl/openssl.cnf error in req. This can happen if the
location of the openssl.cfg (or openssl.cnf) file is not in the default OpenSSL folder. In order
to fix this issue, you have to specify the entire pathname to the openssl.cfg file in the
command to generate CSR. Here is an example:
load config info from /usr/local/ssl/openssl.cnf error in req. This can happen if the
location of the openssl.cfg (or openssl.cnf) file is not in the default OpenSSL folder. In order
to fix this issue, you have to specify the entire pathname to the openssl.cfg file in the
command to generate CSR. Here is an example:
OpenSSL> req -config "C:\Open SSL1\OpenSSL\bin\openssl.cfg" -new -newkey rsa:
1024 -nodes -keyout mykey.pem -out myreq.pem
This path, <C:\Open SSL1\OpenSSL\bin\openssl.cfg>, of the OpenSSL Config file might
differ based on the file location.
differ based on the file location.
3.
After you issue the command, there is a prompt for some information: country name, state,
city, and so forth. Provide the required information.
city, and so forth. Provide the required information.
Note: It is important that you provide the correct Common Name. Ensure that the host name
that is used to create the certificate (Common Name) matches the Domain Name System
(DNS) host name entry for the virtual interface IP address on the WLC and that the name
exists in the DNS as well. Also, after you make the change to the Virtual IP (VIP) interface,
you must reboot the system in order for this change to take effect.
Here is an example:
that is used to create the certificate (Common Name) matches the Domain Name System
(DNS) host name entry for the virtual interface IP address on the WLC and that the name
exists in the DNS as well. Also, after you make the change to the Virtual IP (VIP) interface,
you must reboot the system in order for this change to take effect.
Here is an example:
4.