Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] [WLC] How to install a third party CA certificate in WLC controllers



Article ID: KB31575 KB Last Updated: 17 Mar 2020Version: 3.0

This article describes how to install a third party CA certificate in WLC controllers, for customers who need to encrypt Dot1x clients over the air.


Users will see a certificate trust alert after connecting to the Dot1x SSID.


Self signed certificates are not very secure when compared to CA certificates.


Please follow these steps to generate a CSR and to ingest a third party CA certificate in the controller.

  1. Clear the key pair and existing certificates, if any, from the WLC:
    crypto clear keys type eap
    crypto clear ca-certificates type eap
  2. Create a new key pair for EAP, using the command:
    crypto generate key EAP 2048
  3. After the key pair is generated, generate CSR using the command:
    crypto generate request EAP
    Country Name: <Your country code>
    State Name: Any
    Locality Name: Any
    Organizational Name: Any
    Organizational Unit: Any
    Common Name: eap.cert (should be like something.something format)
    Email Address:
    Unstructured Name: Any
  4. Copy from the -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST----- and paste in a a text editor without spaces. Save as a text file.
  5. Submit the CSR to the third party. Obtain the certificate bundle and get the root certificate, intermediate certificate and device certificate. After you get the certificate bundle, please follow these steps:
  6. To ingest root certificate:

    crypto ca-certificate eap (enter the PEM code)
  7. To ingest intermediate certificate:
    crypto ca-certificate eap (enter the PEM code)
  8. To ingest device certificate:
    crypto certificate eap (enter the PEM code)
  9. After the certificates are installed, use the following commands to check verify that the certificate is installed properly.
    crypto check ca-certs
    show crypto ca-certificate eap
    show crypto certificate eap

If you have another controller on the network, repeat the above steps. Create a new CSR separately for each controller and get it signed from CA.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search