Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] [WLC] How to install a third party CA certificate in WLC controllers

0

0

Article ID: KB31575 KB Last Updated: 17 Mar 2020Version: 3.0
Summary:

This article describes how to install a third party CA certificate in WLC controllers, for customers who need to encrypt Dot1x clients over the air.

Symptoms:

Users will see a certificate trust alert after connecting to the Dot1x SSID.

Cause:

Self signed certificates are not very secure when compared to CA certificates.

Solution:

Please follow these steps to generate a CSR and to ingest a third party CA certificate in the controller.

  1. Clear the key pair and existing certificates, if any, from the WLC:
    crypto clear keys type eap
    crypto clear ca-certificates type eap
  2. Create a new key pair for EAP, using the command:
    crypto generate key EAP 2048
  3. After the key pair is generated, generate CSR using the command:
    crypto generate request EAP
    Country Name: <Your country code>
    State Name: Any
    Locality Name: Any
    Organizational Name: Any
    Organizational Unit: Any
    Common Name: eap.cert (should be like something.something format)
    Email Address: Any@Any.com
    Unstructured Name: Any
  4. Copy from the -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- and paste in a a text editor without spaces. Save as a text file.
    Example:
    -----BEGIN CERTIFICATE REQUEST-----
    MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAkdCMQwwCgYDVQQIEwNBbnkxDDAKBgNV
    BAcTA0FueTEMMAoGA1UEChMDQW55MQwwCgYDVQQLEwNBbnkxETAPBgNVBAMTCHdl
    Yi5jZXJ0MRowGAYJKoZIhvcNAQkBFgtBbnlAQW55LmNvbTESMBAGCSqGSIb3DQEJ
    AhMDQW55MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQEAW8+Zcm9/cCwhqs
    4MsUj6ucW8bQWN7DuKoWMBGkiFYVKFm9uvgxW0uZZA6Hq72hbG9GPMZpScf5Uooq
    yE7z8fGriNWK3OlrfNdYBQVPTGPSXZ/8MnAoa2m86MQrlPMptIm4QWrIQ5x/MGKP
    RhymKFJI+FA6qYXwV2gn+nMkxwIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAyRri
    A9hArQRoyMZwnJqYyb2vwtMyDjRvtvjgeNYQJHQHZVDoU9XMINcsSAhqIMcAZP9b
    vrbcu11ix8PomBqs4ERPkW16YoJfuIGkqqgitMEvXftDHQ9bM+lwzA1eXDpoV3/n
    SHM4F8NQtioubwK7UWiCBL8Avs4SrS4IANP1040=
    -----END CERTIFICATE REQUEST-----
  5. Submit the CSR to the third party. Obtain the certificate bundle and get the root certificate, intermediate certificate and device certificate. After you get the certificate bundle, please follow these steps:
  6. To ingest root certificate:

    crypto ca-certificate eap (enter the PEM code)
  7. To ingest intermediate certificate:
    crypto ca-certificate eap (enter the PEM code)
  8. To ingest device certificate:
    crypto certificate eap (enter the PEM code)
  9. After the certificates are installed, use the following commands to check verify that the certificate is installed properly.
    crypto check ca-certs
    show crypto ca-certificate eap
    show crypto certificate eap

If you have another controller on the network, repeat the above steps. Create a new CSR separately for each controller and get it signed from CA.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search