Thursday, May 20, 2010

Certificate Conversion

The Cisco wireless LAN controllers are shipped with built-in self-signed certificates for web management and web portal authentication. In addition, certificates can be uploaded for use with Local EAP authentication and Certificate Authority verification purposes.

However, the controllers only recognize PEM format certificates. Who knows why, since they're not used for protected email of any form. The only reason that I can think for use of this format is that it's well known and can accommodate both certificates containing private keys and certificates containing only public keys. Cisco calls certificates including private keys "Vendor Device Certificates", and certificates containing only public keys, such as a CA certificate for verifying digital signatures, a "Vendor CA Certificate".

If you're certificate authority or PKI is based on Microsoft, which does not support PEM, then you're stuck converting certificates from PKCS12, PFX, DER, or Base64 into PEM format for import on the controller. Here's how to do it:

First, download and install OpenSSL on your workstation, either linux or Windows. It can be found here:
http://www.openssl.org/
http://www.slproweb.com/products/Win32OpenSSL.html

If PFX or PCKS12 device certificates need to be converted to PEM format, complete the following steps:

  • Copy the PFX or PCKS12 certificate to a PC with OpenSSL installed
  • Execute the C:\OpenSSL\bin\openssl.exe file on Windows from a command prompt, or the executable file on Linux, and enter the following commands:

    openssl> pkcs12 –in certificate.pfx –out newcertifcate.pem

    Enter Import Password : existing_private_key_password

    MAC verified Ok
    Enter PEM Pass phrase:
    new_private_key_password

    Verifying – PEM pass phrase: new_private_key_password
  • The certificate file is now converted to PEM format and is ready to be downloaded to the controller.

If DER or Base 64 CA certificates need to be converted to PEM format, complete the following steps:

  • Copy the DER or Base 64 certificate to a PC with OpenSSL installed
  • Execute the C:\OpenSSL\bin\openssl.exe file on Windows from a command prompt, or the executable file on Linux, and enter the following commands:

    openssl> x509 –in certificate.cer –inform DER –out newcertifcate.pem –outform PEM
  • The certificate file is now converted to PEM format and is ready to be downloaded to the controller.

If  private key and certificate files both in PEM format need to be merged into a single PKCS12 file, complete the following steps:

  • Copy the PEM private key and certificate files to a PC with OpenSSL installed
  • Execute the C:\OpenSSL\bin\openssl.exe file on Windows from a command prompt, or the executable file on Linux, and enter the following commands:

    OpenSSL> pkcs12 -export -inkey certpvk.pem -in cert.pem -out certnew.p12
    Loading 'screen' into random state – done
    Enter Export Password: new_private_key_password
    Verifying - Enter Export Password: new_private_key_password
    OpenSSL>
  • The certificate and private key are now merged into one PKCS12 file.

Upload the converted certificates to the controller either through the web interface or the CLI.


Andrew



2 comments:

  1. Hello what if you have an SSL Wildcard certificate? Do you need to do the same or you can just directly load it to the WLC in .pem format?

    ReplyDelete
  2. Wildcard certificates are the same. They need to be in PEM format. You might need to convert them.

    ReplyDelete