Preparing Certificate for Import at Cisco WLC

5500(FW 8.5.151.0) and 9800(FW 17.3.5b,17.9.3 )

Note:
This manual is exclusive for certificates generated in ZeroSSL which by default does not issue
a root certificate. The generation of certificates in other CA's (Certificate Authorities) must be
verified if they already assign a root certificate for the generated certificate. In case of questions,
refer to the FAQ of your CA certificate for further clarification.
Info:
Before following this manual for creating root certificates, first you need to check if your AC is
Zero SSL. To find out your certificate, follow the examples of images 1 and 2 below:
Picture 1:
Picture 2:

Preparing the environment:

Step 1 - Download Open SSL and install on your machine:
A- Windows:
https://slproWeb.com/download/win64opensssl_light-3_0_8.exe
B- Linux:
$ sudo apt update
$ sudo apt install openssl
OpenSSL is usually installed by default on most Linux distributions. However, to ensure that this
is the case, perform the above commands in your system:
Step 2 - Create a folder at the root of the OpenSSL installation called Certificates, as shown
below:
Step 3 - Paste your certificates generated on zerossl within the folder created in item 3, as shown
below:

Adding the root to the CA certificate:

Step 4- Right click on your certificate and then open with the notepad, as shown 1 below:
Step 5- With the contents of the exhibited certificate, copy all content, including ------ Begin
Certificate ----- and ----- End Certificate ------
Step 6 - Open the site https://whatsmychaincert.com/ and paste the content you copied from the
certificate in the text box shown in the image and mark include root certificate then click
Generate
Step 7 - Name the file with the name of your preference.

It will be like this:

Converting the certificate to OpenSSL:
Step 8 - Open the OpenSSL Command Prompt typing, opensssl on running on the Windows
Start menu:
Step 9 - Enter the Open SSL certificates folder, created in Step 2 by typing C: \ OpenSL \
Certificates, the result should be like the image below:
Step 10 – Run the following commands:
openssl pkcs12 -export -in New-Certificate-chained+root.crt -inkey private.key -out
all-certs-out.p12 -passin pass:zoox@pass#@! -passout pass:zoox@pass#@!
1. Certificate name you created in step 6
2. Export certificate file name.
3. Password that can be freely chosen by you
4. Positive export result
Export Result:

Step 11 – With the all-certs-out.p12 file exported, run this command in the same OpenSSL
Prompt window: openssl pkcs12 -in all-certs-out.p12 -out final.pem -passin pass:zoox@pass#
@! -passout pass:zoox@pass#@!
1. Name of the Certificate you exported in step 10
2. Final Export Certificate File Name.
3. Password created by you in step 10
4. Positive export result
Export Result:

The final.pem file is the file that must be imported into the Cisco WLC controller.

⚠️Attention!!!⚠️
If you want to import a certificate to a WLC 9800 read this section:

If you want to import the certificate to the WLC9800 controller, you will need to convert the
certificate created in Step 11 to .PCX or .PKCS12 format using the following command in
openssl:
>openssl pkcs12 -export -in certificate-name.pem -out certificate-name.pkcs12

If your .pem certificate was created with a password (Step 11), you will be asked for the
password for this certificate(Red Arrow) and, after that, you will be asked to create a password to
export the new certificate(Green Arrow) and prompt to re-enter the same password for
verification. The password you’ll create to export the certificate CANNOT contain the following
characters:
*, ^, (), [], \ (Cisco bug: CSCwe96882)
Export Result: