This document describes how to generate a Certificate Signing Request
(CSR) for Wireless Control System (WCS) that runs on a Linux server.
Before you attempt this configuration, Cisco requires that you have
knowledge on these topics:
The information in this document is based on WCS version
Note: CSR generation that uses a WCS is supported with WCS versions
220.127.116.11 and above.
Refer to the
Technical Tips Conventions for more information on document
A CSR is submitted to a third-party CA in order to obtain a
certificate, which they digitally sign. This certificate is used by WCS for
login authentication. Before the CSR is created, the applicant first generates
a Public/Private key pair.
CSR contains information the identifies the applicant (such as Domain
Name, organization, location, etc.) and the public key chosen by the applicant.
The corresponding private key is not included in the CSR, but is used to
digitally sign the entire request. The CSR can be accompanied by other
credentials or proofs as required by the certificate authority. For the most
part, a third-party CA company, such as Entrust or VeriSign, requires a CSR
before the company can create a digital certificate.
You can use the keyadmin.sh tool available in the
WCS installation directory (/opt/WCS4.1/bin/) in order to
generate CSRs on a WCS.
Complete these steps in order to access the tool:
Open the shell prompt.
Go to the /opt/WCS4.1/bin directory, and execute
the CSR generation command as shown below:
openssl req -new -newkey rsa:2048 -nodes -keyout /opt/mykey.pem -out
This results in the generation of the CSR in the file myreq.pem in
the /opt directory, which is used to request the certificate from the CA. The
Public/Private key pair is stored in the file mykey.pem in the /opt
Refer to the web site of the third-party CA for more information on how
to submit the CSR through the enrollment tool. Once you submit the CSR to a
third-party CA, they verify the details that you provided, they create and
digitally sign the certificate, and then send the signed certificate back to
you via email. This certificate is combined with the private key to be used for
Complete these steps in order to create the final certificate:
Assume the certificate from CA has the file name
. Use this command in
order to combine the certificate with the private key:
openssl pkcs12 -export -in /opt/certificate.pem -inkey /opt/mykey.pem -out
/opt/certificate.p12 -clcerts -passin pass:<give_a_password> -passout
Convert it to .cer format.
openssl pkcs12 -in /opt/certificate.p12 -out /opt/certificate.cer
-passin pass:<give_same_password> -passout pass:<give_same_password>
Note: This results in the creation of the final certificate
certificate.cer located in the /opt directory.
Note: By default, WCS has a built-in self-signed SSL certificate. This
self-signed certificate is stored as server.cer in the
/opt/WCS4.1/webnms/apache/conf/ssl directory, which is used by WCS software
when someone tries to securely log in to WCS through https. The self-signed
certificate/key pair should be replaced by certificate (certificate.cer) and
the private key (mykey.pem) that we created so that it can be used for login
Use this copy command in order to replace the self-signed
certificate with the certificate we created.
cp /opt/mykey.pem /opt/WCSx.x.x.x/webnms/apache/conf/ssl.crt/server.key
cp /opt/certificate.cer /opt/WCSx.x.x.x/webnms/apache/conf/ssl.crt/server.cer
In order to check if the certificate from the third-party is being used
for authentication, complete these steps:
Stop and restart the WCS for the changes to take
Access the WCS using the web browser.
If the signed certificate is valid and has a matching domain name,
the application should not display the certificate pop-up warning and should
take you directly to the login page.
Note: There is an alternate way to test the certificate. If the
third-party from whom the certificate was obtained is not in the trusted list
in the client, then the certificate will be treated as an invalid certificate
and you will receive a warning dialog when you try to log in to WCS. On the
warning screen, click View Certificate. On the screen that
appears, click the Details tab. Click the Issuer field, and
check the attributes OU (Organizational Unit) and O (Organization). The default
self-signed certificate will have the OU as WNBU and O as Cisco Systems. Check
if these attributes correspond to the third-party that issued the
There is currently no specific troubleshooting information available
for this configuration.