This document describes how to generate a Certificate Signing Request (CSR) for Wireless Control System (WCS) that runs on a Linux server.
Before you attempt this configuration, Cisco requires that you have knowledge on these topics:
The information in this document is based on WCS version 220.127.116.11.
Note: CSR generation that uses a WCS is supported with WCS versions 18.104.22.168 and above.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
A CSR is submitted to a third-party CA in order to obtain a certificate, which they digitally sign. This certificate is used by WCS for login authentication. Before the CSR is created, the applicant first generates a Public/Private key pair.
CSR contains information the identifies the applicant (such as Domain Name, organization, location, etc.) and the public key chosen by the applicant. The corresponding private key is not included in the CSR, but is used to digitally sign the entire request. The CSR can be accompanied by other credentials or proofs as required by the certificate authority. For the most part, a third-party CA company, such as Entrust or VeriSign, requires a CSR before the company can create a digital certificate.
You can use the keyadmin.sh tool available in the WCS installation directory (/opt/WCS4.1/bin/) in order to generate CSRs on a WCS.
Complete these steps in order to access the tool:
Open the shell prompt.
Go to the /opt/WCS4.1/bin directory, and execute the CSR generation command as shown below:
openssl req -new -newkey rsa:2048 -nodes -keyout /opt/mykey.pem -out
This results in the generation of the CSR in the file myreq.pem in the /opt directory, which is used to request the certificate from the CA. The Public/Private key pair is stored in the file mykey.pem in the /opt directory.
Refer to the web site of the third-party CA for more information on how to submit the CSR through the enrollment tool. Once you submit the CSR to a third-party CA, they verify the details that you provided, they create and digitally sign the certificate, and then send the signed certificate back to you via email. This certificate is combined with the private key to be used for final authentication.
Complete these steps in order to create the final certificate:
Assume the certificate from CA has the file name certificate.pem . Use this command in order to combine the certificate with the private key:
openssl pkcs12 -export -in /opt/certificate.pem -inkey /opt/mykey.pem -out
/opt/certificate.p12 -clcerts -passin pass:<give_a_password> -passout
Convert it to .cer format.
openssl pkcs12 -in /opt/certificate.p12 -out /opt/certificate.cer
-passin pass:<give_same_password> -passout pass:<give_same_password>
Note: This results in the creation of the final certificate certificate.cer located in the /opt directory.
Note: By default, WCS has a built-in self-signed SSL certificate. This self-signed certificate is stored as server.cer in the /opt/WCS4.1/webnms/apache/conf/ssl directory, which is used by WCS software when someone tries to securely log in to WCS through https. The self-signed certificate/key pair should be replaced by certificate (certificate.cer) and the private key (mykey.pem) that we created so that it can be used for login authentication.
Use this copy command in order to replace the self-signed certificate with the certificate we created.
cp /opt/mykey.pem /opt/WCSx.x.x.x/webnms/apache/conf/ssl.crt/server.key
cp /opt/certificate.cer /opt/WCSx.x.x.x/webnms/apache/conf/ssl.crt/server.cer
In order to check if the certificate from the third-party is being used for authentication, complete these steps:
Stop and restart the WCS for the changes to take effect.
Access the WCS using the web browser.
If the signed certificate is valid and has a matching domain name, the application should not display the certificate pop-up warning and should take you directly to the login page.
Note: There is an alternate way to test the certificate. If the third-party from whom the certificate was obtained is not in the trusted list in the client, then the certificate will be treated as an invalid certificate and you will receive a warning dialog when you try to log in to WCS. On the warning screen, click View Certificate. On the screen that appears, click the Details tab. Click the Issuer field, and check the attributes OU (Organizational Unit) and O (Organization). The default self-signed certificate will have the OU as WNBU and O as Cisco Systems. Check if these attributes correspond to the third-party that issued the certificate.
There is currently no specific troubleshooting information available for this configuration.