In this post we will see how to install a WebAuth certificate on a 5760 controller. This will help to prevent Guest Users prompting with SSL error when they are trying to authenticate to a guest portal.

First task is to obtain a CSR (Certificate Signing Request) for the 5760. Since 5760 cannot do this by itself you have to use a software like OpenSSL. I have used Win64 OpenSSL v0.9.8za Light since my PC is 64bit version. ( You can refer Configuring EAP-TLS on a WLC post for a 32bit version working OpenSSL). Here is the screenshots of OpenSSL installation wizard.

5760-WebAuth-Cert-015760-WebAuth-Cert-025760-WebAuth-Cert-035760-WebAuth-Cert-045760-WebAuth-Cert-055760-WebAuth-Cert-06Once the installation completed you can open a command prompt (All Programs -> Accessories ->Right Click on Command Prompt -> Run as Administrator). Then you can generate the CSR (5760-1111req.pem) with the PrivateKey(5760-1111key.pem) as shown below. You have to use FQDN as the name correspond to your 5760 virtual IP address

5760-WebAuth-Cert-08Once you do this you would see those two files in C->OpenSSL->bin folder. Then you can use CSR(in my case 5760-1111req.pem) to your Certificate Authority to generate a certificate. Once your request approved, you will get your digital certificates in different format. Here is what I got from CA.

5760-WebAuth-Cert-09Then I  downloaded PKCS#7 Base64 encoded format of the certificate. Since 5760 Configuration guide documented installing certs inn PKCS12 format as shown below I have converted my cert in to that format.5760-WebAuth-Cert-10Here how you can convert it to PKCS12 format. I have renamed my downloaed cert from CA as “webauth-guest.p7b” & used that to generate PKCS12 file named “webauth-guest.pfx“. Here is the command syntax if you are doing this through a linux host.

openssl pkcs7 -print_certs -in webauth-guest.p7b -out webauth-guest.cer
openssl pkcs12 -export -in webauth-guest.cer -inkey 5760-1111key.pem -out webauth-guest.pfx

Here how I did this through OpenSSL application. You have to use the same password that you used to generate the CSR.5760-WebAuth-Cert-11Once the PKCS12 format certificate is available you can install it on your 5760 using IOS commands. First you can copy cert to your 5760 flash & then install it.

5760-1#copy tftp://x.x.13.20/webauth-guest.pfx flash:
Destination filename [webauth-guest.pfx]? 
Accessing tftp://x.x.13.20/webauth-guest.pfx...
Loading webauth-guest.pfx from x.x.13.20 (via Vlan1600): !
[OK - 6477 bytes]

6477 bytes copied in 0.080 secs (80963 bytes/sec)

5760-1(config)#crypto pki import ? 
  WORD  Trustpoint label to associate certificate or pkcs-12 file with

5760-1(config)#crypto pki import webauth-cert pkcs12 flash:webauth-guest.pfx password Cisco123
% Importing pkcs12...
Source filename [webauth-guest.pfx]? 
Reading file from flash:webauth-guest.pfx% The CA cert is not self-signed.
% Do you also want to create trustpoints for CAs higher in
% the hierarchy? [yes/no]: yes
CRYPTO_PKI: Imported PKCS12 file successfully.

Now your 5760 is equipped with WebAuth Cert 🙂  You can verify your cert configuration on your 5760 using “show archive config diff ”  prior to do a write mem. Also you can use “show crypto ca certificate verb” as well.

5760-1#show archive config differences nvram:startup-config system:running-config
!Contextual Config Diffs:
+crypto pki trustpoint webauth-cert
 +revocation-check crl
 +rsakeypair webauth-cert
+crypto pki trustpoint webauth-cert-rrr1
 +revocation-check crl
+crypto pki trustpoint webauth-cert-rrr2
 +revocation-check crl

+crypto pki certificate chain webauth-cert

5760-1#show crypto ca certificate verb
  Status: Available
  Version: 3
  Associated Trustpoints: webauth-cert 
  Key Label: webauth-cert

So your guest users won’t see something like below when they enter their credential in Guest Portal


Here are some related Cisco Documents which may be useful as well

1. Converged Access Wireless LAN Controllers Third-Party Certificate Installation (Doc 117197)
2. 5760 IOS-XE Release 3E-Configuring Guest Wireless
3. Generate CSR for 3rd Party Cert & install it on WLC (Doc 70584)

Special Thanks to my colleague Gareth for helping me to understand a little bit about these certificates.

Related Posts

1. Guest Anchoring in Converged Access
2. Web Auth in Converged Access
3. Configuring EAP-TLS on a WLC