Introduction
In this article, we take a look at a strange error that can appear when you try to install a certificate in a Cisco WLC 9800, to use for features such as Web Admin or Web Auth guest portals.
This article assumes you have some knowledge of how to work with OpenSSL on your platform of choice (Windows, macOS, Linux, etc.).
The Problem
I recently had trouble installing a wildcard certificate on a Cisco WLC 9800 to use for the guest portal residing inside the WLC. Installing a certificate on a WLC 9800 shouldn’t really be that hard, after all, now we can use a simple. PFX or .P12 file containing the device certificate, private key, and certificate chain all in one file and just import it into the WLC 9800, compared to the older WLCs running AireOS, where you often had to do some kind of certificate fiddling to make it work.
Let’s get into the problem: I ran into this error message when trying to import the PFX file using the web-GUI:
Error in ConfiguringReading file from bootflash <certificate PFX filename>I tried several different upload methods (FTP, HTTPS, etc.) in addition to trying to use both the web-GUI and CLI, but nothing seemed to work. The CLI didn’t even state anything went wrong in the import process for me, but I could see it failing to complete since there was no new Trustpoint added to the configuration that matched the new certificate.
The Solution
If the .PFX-file given to you by your public certificate provider (probably a certificate for the WebAuth guest portals) or internal PKI administrator (probably a certificate for the Web Admin feature) cannot be imported as-in and you run into the error message above or similar, try following the steps below.
Download and install OpenSSL version 1.X (version 1.1 worked for me). I usually use this website to download OpenSSL.
Split the PFX file into individual files - meaning separate files for the identity certificate itself, each CA certificate (root + all intermediate certificates in separate files), and the private key. If you are unsure how to do this, you can check out the commands found here: OpenSSL - Common Certificate Commands and use the general certificate management tools of your operating system to copy each CA certificate to individual files.
Combine all the certificate and private key files to a .PFX file again using OpenSSL version 1.X using the command below. To create the CA-CHAIN.pem file, check out the instructions in the link above on how to format this .PEM file (the order of the certificate). It is very important that you are using OpenSSL version 1.X specifically when you do this. Even when using the exact same commands in OpenSSL version 3.X, the created .PFX file could not be imported into the WLC 9800.
openssl.exe pkcs12 -export -in ID-CERT.cer -inkey PRIV.key -certfile CA-CHAIN.pem -out CERT-and-KEY.pfx
Depending on your platform of choice (Windows, macOS, Linux, etc.) on which you are running OpenSSL, you might need to modify the first part of the command to get started. On some operating systems, you simply start OpenSSL by typing in “openssl” to get into the OpenSSL prompt. From there, start from the “pkcs12…” part above followed by the rest of the command.
When the new PFX file has been created, you should now be able to import it on your WLC 9800 via the web-GUI (navigate to Configuration > Security > PKI Management > Add Certificate > Import KCS12 Certificate) or using the CLI (requires transferring the .PFX file to the bootflash first.
As for why a .PFX file created using the older OpenSSL 1.X versions work and a .PFX file created using the newer OpenSSL 3.X versions don’t, I do not know.
References
This thread on the Cisco support forums discusses similar problems to the one in this article and the idea of using OpenSSL version 1.X for the PFX file creation came from here.
Cisco Support Forum - "WLC C9800 - Unable to import pfx Certificate" - page 2