Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLC] How to import Wildcard/SSL certificate for "WEB" on wireless controllers



Article ID: KB30970 KB Last Updated: 19 Aug 2017Version: 1.0

 This article explains how to import the Wildcard certificate on Juniper wireless controllers.


The web browser continuously returns 'SSL Certificate error' or 'SSL certificate expire alert' messages while connecting to web-portal users who are having trouble connecting to the web-portal login page.

  1. Generate a CSR on the domain controller (not on WLC). Then issue the CSR to a Certificate Authority (Thwate, Godaddy, etc.) in order to get the PKCS12 certificate, which will be in .pfx format. Verify that the certificate is complete with Root/Intermediate/Device certificates by saving the certificate in .crt format.

  2. Once the Wildcard certificate is complete, save the certificate again in .pfx format. Then copy the PKCS #12 object file for a Web certificate by using TFTP server to nonvolatile storage on the WLC/MX controllers with the following command:

    WLC# copy tftp://<tftp ip>/<file-name> <filename>

  3. Type the one-time password, which is the private key provided by CA authority. Use the following command to type the OTP password:

    WLC# crypto otp web <one-time password>

    Note: Password secures the file so the keys and certificate cannot be installed by an unauthorized party.

  4. Unpack the PKCS #12 file into the WLC certificate and key store. Use the following command to unpack the file:

    WLC# crypto pkcs12 web <file name>

    Note: The filename is the location of the file on the WLC.

  5. Use the following commands to verify the Root/Intermediate/Device certificates for “WEB” is valid:

    show crypto certificate <web> --- To verify Device certificate
    show crypto ca-certificate <web> --- To verify Root/Intermediate certificates

    Note: If you do not see Root/Intermediate certificates, request the certificate authority and get the full chain valid certificate.

    After importing the Wildcard certificate, configure the Web-portal "SSL" mode as "Full" with the following command:

    set web-portal ssl-mode <full>


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search