To generate a Certificate Signing Request (CSR) a key pair must be created for the server. These two items are a public key and a private key pair and cannot be separated. Cisco Wireless Lan Controller (WLC) is a very complex system with unconventional implementation of its keypairs for encryption. CSR creation and certificate installation may vary as your custom environment system may differ. Below are generalized instructions. The utility “openssl” is used to generate the key and CSR and used to perform conversions. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If you have a custom installation, you will need to adjust these instructions appropriately.
To generate a CSR on Cisco WLC perform the following.
Step 1: Generating your private key pair:
- On the Apache system type the following command at the prompt.
Note: The files you create will be saved in a director of your choice or by default. On windows systems (typically C:\Program Files\GnuWin32\OpenSSL\bin\)openssl genrsa -out privatekeyfilename.key 2048
Step 2: Generating your CSR:
- Type the following command at the prompt.
openssl req -new -key privatekeyfilename.key -out csrfilename.csr
Example:
Note: If using openSSL on Windows, you may need to specify the path to openssl.cnf such as the following:
openssl req -new -key privatekeyfilename.key -config "c:\Apache Software Foundation\Apache2.2\conf\openssl.cnf" -out csrfilename.csr
- Enter the requested information:
- Country Name: Use the two-letter code without punctuation for country, for example: US or CA.
- State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: Massachusetts
- Locality or City: The Locality field is the city or town name, for example: Boston. Do not abbreviate. For example: Saint Louis, not St. Louis
- Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.
- Organizational Unit: The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.
- Common Name: The fully-qualified domain name, or URL, you’re securing. for example “www.domain.com.” The Common Name must match DNS Hostname on the Virtual Interface.
- Important Note: You might be prompted to associate a password for your CSR. Leave this blank and press Enter. Associating a password with your CSR will encrypt it and will cause issues with enrollment.
- Note: WLC’s do not like wildcard certificates. Make sure the specify a non-wildcard common name.
A public/private key pair has now been created. The private key is stored locally on the server (remember its location and name as it will be required for Installation).
Your CSR request has been created and is ready for you to copy and paste its contents into the enrollment portal.
If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.
Cisco Support:
For Cisco Support on WLC click here
For Cisco WLC Installation Instructions click Here