This article describes how to install a custom Certificate SSL on your Cisco Wireless Controller 9800 to avoid HTTPS warning.
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Your Cloudi-FI Guest SSID/Subnet should already be configured to apply the following procedure. If you haven’t configured your Cloudi-FI Guest SSID yet, please follow this article: How to enable Cloudi-Fi with Cisco Catalyst 9800 Series Wireless Controllers.
- A dedicated SSL certificate has to be issued
TLS/SSL certificates secure internet connections by encrypting your data. They ensure that data is transmitted privately, without modifications, loss, or theft. By adding a certificate to your WLC, you will ensure a safer internet experience for your users.
Moreover, some browsers might block authentication on HTTP pages. Using a certificate will permit access to HTTPS pages, and your users will be able to authenticate.
1. Import the certificate
On your Cisco 9800, go to Configuration > Security > PKI Management
In the PKI Management window, click the Add Certificate tab and expand the PKCS12 Certificate menu. Certificate Password refers to the password used when the PKCS12 certificate was generated.
Then use the Desktop (HTTPS) option in the Transport Type.
Verify the certificate chain, which must contain the following
------BEGIN CERTIFICATE------
*Device cert*
------END CERTIFICATE------
------BEGIN CERTIFICATE------
*Intermediate CA cert *
------END CERTIFICATE--------
------BEGIN CERTIFICATE------
*Root CA cert *
------END CERTIFICATE------
The certificate must be in a PKCS12 format.
You can also use the TFTP option
With TFTP Transport Type, you have to configure a TFTP server. (You can download a free TFTP Server). Then, add the certificate to your TFTP-Root directory. This directory has to be the storage of the TFTP server.
Click on Import. After that, you should see the new certificate in the Key Pair Generation tab.
2. Use the new certificate
Go to Administration > Management > HTTP/HTTPS/Netconf/VTY and choose the imported certificate from the Trust Points drop-down list and Save.
Navigate to Configuration > Security > Web Auth, choose the global parameter map.
Then choose the imported trust point from the Trustpoint drop-down list. Click Update & Apply to save the changes. Ensure that the Virtual IPv4 Hostname matches the Common Name in the certificate.
3. Reboot your wireless controller
The new certificate takes effect after you reboot your controller.
What's next?
More details about Certificate import on WLC: Generate and Download CSR Certificates on Catalyst 9800 WLCs