Configuring PKI Management
Cisco IOS public key infrastructure (PKI) provides certificate management to support security protocols such as IP Security (IPSec), secure shell (SSH), and secure socket layer (SSL). On the Wireless LAN Controller's GUI, the PKI Management page provides an easy way to configure RSA Keypairs, trustpoints and manage certificate requests for the different services such as Web Administration, Web Authentication, AP Join or EAP Authentication. You can choose to have the local CA server issue certificates for these services or use third-party certificates. The different tabs on the
help you to make use of the PKI infrastructure for certificate management.Based on your requirement, use the
page, to do the following:Creating a trustpoint and the RSA key pair starts the process of requesting a certificate from the CA server. The name of the trustpoint , the public RSA key pair of the host and additional details like the subject name, domain name are bundled in the certificate request, thereby binding them together.
The workflow for requesting a certificate and assigning it to a particular service is as follows:
- Create the RSA Key Pair
Keys in a PKI system are used to encrypt and decrypt data. A key pair (a public and a private key) is required before you can obtain a certificate for your WLC. The end host (here the WLC) must generate a pair of keys and exchange the public key with the certification authority (CA) to obtain a certificate and enroll in a PKI.- In the Key Pair Generation tab, click Add.
- Enter the Key Name. The label is referenced by the trustpoint that uses the key pair. If you do not assign a label, the key pair is automatically labeled, Default-RSA-Key.
- In the Key Type options, select either RSA Key or EC Key. The default modulus size for the RSA key is 4096 and the default value for the EC key is 521.
- In the Modulus Size field, enter the modulus value for the RSA key or the EC key.
- Check the Key Exportable check box to export the key. By default, this field is enabled.
- Click
-
Create, authenticate and enroll the Trustpoint
A trustpoint is an abstract container for an identity certiifcate that can be used to secure communication between the client and the server. A trustpoint needs to be declared to send certificate requests for the WLC and also for obtaining the certificate authority's (CA) certificate. There are many ways to enroll your trustpoint and receive a certificate from the CA. Depending on the configuration, you may choose to automatically request a certificate from the CA or manually request a certificate from the CA. Based on your preference, do it on either on the tab (2a) or the tab (2b).2 a. Create, authenticate and enroll the Trustpoint automatically
The following procedure shows how to create, authenticate and enroll the trustpoint to request and receive a certificate from an external Certificate Authority or a local CA server using automatic enrollment . With SCEP, the CA and device certificates are received from the CA server, and later installed automatically on the controller. Note that this does not include the steps for setting up a Windows Server 2012 Standard R2, neither does it cover the steps for setting up the Simple Certificate Enrollment Protocol (SCEP) server.
You can use automatic enrollment for any certificate. The following example shows how to obtain a Locally Significant Certificate that is used for AP Join. LSC certificates used for AP Join can be issued by either a Root Server or an Intermediate Server. If you use the LSC certificate issued by a intermediate server to provision an AP, you will need to import the complete chain of CA certificate into the WLC using the Trustpool tab on the PKI Management page.
- In the Trustpoints tab, click Add and enter a unique label for the trustpoint in the Label field. If you are enrolling with an Intermediate CA server, ensure that a trustpoint is explicitly configured for this.
- Select the Enrollment Type as Enrollment URL field, to automatically request and download a CA certificate from the CA server(third-party or local). If you select the radio button, go to the Add Certificate tab to create, authenticate and enroll a Trustpoint manually. Refer to Add Certificate to do so. and enter the enrollment URL in the
-
In the Subject Name area, enter the country code, state, location, organisation, domain name, and email address.
Field Description Domain Name/Common Name The fully qualified domain name (FQDN) of the WLC server. This must match exactly what you type in your web browser to reach the WLC, or you will receive a name mismatch error. Country Code The two-letter ISO code for the country where your organization is location. State The state/region where your organization is located. This shouldn't be abbreviated. Location The place where your organization is located. Organization The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. Email Address An email address used to contact your organization. - Check the Authenticate check box to authenticate the Trustpoint and get the CA server certificate from the enrollment URL.
- Associate the key pair with the trustpoint. To do so, check the Key Generated check box to view the available RSA keypairs and choose correct keypair from the Available RSA Keypairs drop-down list.
- Check the Enroll Trustpoint check box to request the certificate for the WLC from the Certificate Authority.
- In the Password field, enter the password. Also called the challenge password, this password must match the challenge password for your CA. In the Certificate Signing request template, you must enter the same challenge password that was configured for the SCEP server, otherwise the authentication between the WLC and CA fails. Reconfirm the password.
- Click
OR
2 b. Create authenticate and enroll the Trustpoint manually
You might choose to receive the certificate from your server by manually sending the request to the CA server because the SCEP server hasn’t been set up or there is no network connection between the WLC and the CA. You can directly start on the
tab or you might be directed to go to this tab when you select the radio button on the tab. Continue with the steps below:- In the Add Certificate tab, click the Generate Certificate Signing Request area.
- In the Certificate Name field, enter the certificate name.
- From the Key Name drop-down list, select the required RSA keypair. Click the "+" icon to create new RSA keypairs, from the Key Pair Generation tab.
- Enter the Country Code, Location, Organisation, State, Organizational Unit, and the Domain Name.
- Click Generate. The generated CSR is displayed on the right. Click Copy to copy and save a local copy. Click Save to Device to save the generated to /bootflash/csr directory.
- Click the Authenticate Issuer CA area.
- From the Trustpoint drop-down list, select the trustpoint label that was generated in the generate CSR activity, or any other trustpoint label that you would like to authenticate.
- In the Issuer CA Certificate (.pem) field, copy and paste the CA certificate that you had saved in the generate CSR activity. Ensure that you copy and paste the PEM Base64 certificate of the issuing CA.
- Click Authenticate.
- Click the Import Device Certificate area.
- From the Trustpoint drop-down list, select the trustpoint label that was generated earlier.
- In the Signed Certificate (.pem) field, copy and paste the device certificate that you received from the CA after submitting the CSR. Ensure that you copy and paste the PEM Base64 device certificate.
- Click Import.
Alternatively, if you have received a certificate in the PKCS12 format, use the Import PKCS12 Certificate area to import the certificate.
From the Transport Type drop-down list, choose either FTP, SFTP, , , or .
For FTP, SFTP, and SCP, enter the Server IP Address (IPv4/IPv6), Username, Password, Certificate File Path, Certificate Destination File Name, and Certificate Password.
For TFTP, enter the Server IP Address (IPv4/IPv6), Certificate File Path, Certificate Destination File Name, and Certificate Password.
For Desktop (HTTPS), enter the Source File Path and Certificate Password.
Click Import.
- Assign the Trustpoint for a Specific Service
Now that you have configured the Trustpoint, assign the Trustpoint to a specific service so that the right certificate is used for the right put rpose. For APs joining the controller using the LSC, you need to provision them first. Refer to the LSC Provision area for the detailed procedure. For all other services such as WebAdmin, WebAuthentication, Local EAP and others point them to use the specifically configured trustpoint for individual services by going to their respective pages.Assign Trustpoint for AP Join
Since the wireless management interface is used for AP Join, point the Management Interface to use the trustpoint configured for AP Join.
- Go to , and select the VLAN Interface Name.
- In the Edit Management Interface page, select the Trustpoint from the drop-down list. Ensure that this is the same Trustpoint that was bound to the LSC certificate above.
- Click .
Assign Trustpoint for WebAuthentication
- Go to and click the .
- In the Edit Web Auth Parameter window, select the appropriate trustpoint for WebAuthentication.
- Click to set the webauth parameter to use the correct trustpoint.
Assign Trustpoint for WebAdministration
- Go to .
- In the HTTP Trust Point Configuration area, tap to enable the trustpoint and select the appropriate trustpoint to be used for webadmin purpose.
- Click for the configuration to take effect.
Assign Trustpoint for Local EAP Authentication
- Go to and click the profile name.
- In the Edit Local EAP Profilesr window, select the appropriate trustpoint to be used for local eap authentication.
- Click for the connfiguration to take effect.
The PKI Management page now displays the trustpoint usage for the respective services.
- On the AP SSC Trustpoint area and click to generate a self-signed certificate for the virtual controller. tab, go to the
- From the RSA Key-Size drop-down list, choose a key size.
- From the Signature Algorithm drop-down list, choose an option.
- From the Password Type drop-down list, choose a password type. 0 specifies that an unencrypted password or secret (depending on the configuration) follows. 7 specifies that a hidden password follows.
- Enter a Password. The valid range is between 8 and 32 characters.
- Click
- Next, go to the and select the VLAN Interface Name.
- In the Edit Management Interface page, select the Trustpoint from the drop-down list.
-
Click
. This ensures that the AP joins the virtual controller using the self-signed certificate generated above.
The Local CA Server provides basic certificate authority operation on the WLC. It provides trusted digital certificates to users, without the need to rely on external certificate authorization. You can use this tab to enable and configure local CA Certificate parameters and to make any changes before rolling over local CA certificates.
On the
tab, tap to enable the CA server. You can also choose to remove an existing local CA server (either enabled or disabled). Note that deleting the local CA server removes the configuration from the WLC. After the configuration has been deleted, it is irrecoverable. Make sure that you also delete the associated local CA server database and configuration files (that is, all files with the wildcard name, LOCAL-CA-SERVER.*)To configure the local ca server, enter the details and click
. The local certificate is ready to be used.Field | Description |
---|---|
Domain Name/Common Name | The fully qualified domain name (FQDN) of the WLC server. This must match exactly what you type in your web browser to reach the WLC, or you will receive a name mismatch error. |
Country Code | The two-letter ISO code for the country where your organization is location. |
State | The state/region where your organization is located. This shouldn't be abbreviated. |
Location | The place where your organization is located. |
Organization | The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. |
Email Address | An email address used to contact your organization. |
During rollover, if you want to change any of the above details , you can change those details here.
The PKI Trustpool Management feature is enabled by default and is used to store a list of trusted certificates (either downloaded or built-in) used by the different services on the controller. The built-in CA certificate bundle in the PKI trustpool receives automatic updates from Cisco. Perform this task to manually update the CA certificates in the PKI trustpool if they are not current, are corrupt, or if certain certificates need to be updated. If certificates have been If your Locally Significant Certificate has been issued by an Intermediate CA, you must import the complete chain of CA certificates into the Trustpool, otherwise you will not be able to provision the APs without this complete chain being present on the WLC.
- On the tab, click to manually import (download) the CA certificate bundle into the PKI trustpool to update or replace the existing CA certificate bundle.
- Paste the CA certificates that you received earlier from the CA server in PEM format and click
The imported certificate is displayed in the table.
to complete the import. - To erase the downloaded CA certificates manually, click the button.
SHA1 SUDI certificates on hardware controllers have an imminent expiry date and devices using expired certificates face disruption in service. To ensure a smooth migration to the latest SUDI99 certificate issued by CMCA-III authority, the controllers have been programmed with newer certificates in their secure hardware chip. These certificates are enabled by default and are valid till December 2099.
This is supported only on the following devices:
-
Appliance 9800 wireless controllers - C9800-40, C9800-80 and C9800-L
-
Embedded wireless controller on APs- C9105, C9110, C9115, C9117, C9120, C9130, C9136 and C9140
However, if you do not wish to migrate at this point:
-
On the SUDI Status section.
tab, go to the -
Disable the Cisco Manufacturing CA III certificate to continue using the older certificate that is mapped to an existing Trustpoint.
-
Click
to save the configuration. -
Reload the device for the configuration to take effect.