Loading a Signed Certificate on a Cisco WLC

Recently, I’ve been on a mission to tighten my company’s security presence, such as disabling SSL 3.0 and TLS 1.0 on all systems that don’t rely on the protocols and replacing self-signed certificates on management consoles with CA trusted certificates.

During this mission, I’ve come to our wireless lan controller. Now this WLC doesn’t have the standard Cisco IOS like all of their switches and security devices. Instead, it uses an IOS that provides a usable web management interface that doesn’t rely on a Java program like ASDM. Unfortunately, this also reduces the amount of information that is provided to you during an error, which I kept getting while trying to upload a certificate chain file in .pem format via TFTP.

File transfer failed!

Fortunately, the error messages are sent to our central syslog server. Unfortunatly, the syslog messages are also fairly vague.

*TransferTask: Jul 25 12:45:01.577: #SSHPM-3-KEYED_PEM_DECODE_FAILED: sshpmcert.c:4102 Cannot PEM decode private key

The WLC IOS is running version 7.5.102.0 (way behind on updates, I know) and it seems that this is known issue with .pem files encoded with the new version of openSSL v1.0.2. Cisco’s solution to this error is to use openSSL v0.9.8 to do the conversion.

The .pem file was initially converted from a CA provided .pfx certificate chain. Unfortunately, openSSL v0.9.8 is no longer supported and difficult to find and get working. The only way to get it to work on a linux server at this point is to get the source and build it manually, which has it’s own pitfalls of syntax errors in the source files.

Luckily, I was able to find this Windows version of openSSL v0.9.8 to do the conversion.

openssl-0.9.8s-x64_86-win64.zip

1. Download and extract the archive (I’ll use C:\Users\Jack\Downloads\openssl-0.9.8s-x64_86-win64\ for this example)

2. Open a powershell prompt and navigate to the extracted directory

   cd 'C:\Users\Jack\Downloads\openssl-0.9.8s-x64_86-win64\'
   

3. Run the following command to convert a .pfx file to the correct .pem encoded format

   .\openssl.exe pkcs12 -in <filename.pfx> -out <filename.pem>
   

   Be sure to specify a password on the .pem file. The WLC will require you to provide a password to the .pem file before it will attempt to download from the TFTP server. If no password is set, it will fail stating you need to enter a password.

That’s it, you can now upload the .pem certificate to the WLC device. Now to get that WLC IOS updated to the latest version to take care of the weak X.509 protocols and it will be golden.