Tuesday, 18 September 2012

Installing a PFX File on a Cisco WLC

Cisco provide an excellent guide on how to create a CSR for a wireless LAN controller so that a certificate signed by a public CA can be installed. This is often very useful if you are using the WLC as a guest controller and want to prevent browser security messages that pop-up in a guest’s browser each time they access your guest wireless network.

The Cisco guide can be found here:


It also details how to install the chained certificate (provided by a public CA) on to the WLC. The certificate in the examples shown in the document use a ‘.pem’’ (Privacy Enhanced Mail) format file.

The method described in the (Cisco) document involves generating a CSR using Open SSL version 0.9.8 to create a certificate request which is then submitted to a public CA such as Thawte, Verisign etc.

It should be  possible to generate CSRs using other methods (other than Open SSL), but you may not end up with a resultant certificate file in the required file format to import into your WLC.

I had an instance recently where a customer had generated a certificate using their usual CSR method (I’m not too sure what they used), but the resulting file they received from their public CA (Thawte in this case) was a ‘.pfx’ file (Personal Information Exchange). The file required to import in to a WLC is a ‘.pem’ file (see this page for more information about various certificate file formats)

So, I was a in a bit of a tight spot, as the supplied ‘.pfx’ file was the incorrect format. I tried (in desperation) to import it anyhow, but it just failed with a rather unhelpful ‘file transfer error’ message.

So I had a dig about on the Internet and found a very useful document which walked through the process of how to convert the pfx file into a format I could use to create my final pem file.

To convert from pfx to pem format, I still needed the services of Open SSL, which I installed onto my Windows 7 laptop. You can get it from this page, but make sure you get the 0.9.8 version, otherwise the resultant files will not work on a Cisco WLC (you have been warned). Also, I believe that this process can only be performed if the pfx file you have been supplied with allows the export of the private key (this would have been specified as part of the certificate request). You will also need to know the import password for the certificate, which will have been specified when creating the original CSR.

There are 2 stages to the process:

  1. Extract and verify various elements from the pfx file
  2. Completion of the process described in the original Cisco configuration document to generate the final ‘.pem’ file

Stage 1

First of all, we need to extract various elements and verify checksums of what we have extracted. In the examples shown below, I have used the prefix ‘Wireless_Cert’ so indicate the various input and output files used.

The starting point is an input file called : Wireless_Cert.pfx. Inline comments indicate what each step is achieving.

The commands run below are run from a standard DOS command line and assume that openssl is in your %PATH% variable (set path=%path%;C:\OpenSSL\bin;). All operations will be performed in the c:\temp directory in this example. (Note: all commands will be on a single line, not broken by line-wraps)

  • Export the private key (import password for certificate required) - creates a new file: Wireless_Cert.key:openssl pkcs12 -in c:\temp\Wireless_Cert.pfx -out c:\temp\Wireless_Cert.key -nocerts -nodes
  • Remove the private key encryption - creates a new file: Wireless_Cert_s.key:openssl rsa -in c:\temp\Wireless_Cert.key -out c:\temp\Wireless_Cert_s.key
  • Export the SSL certificate (import password for certificate required) - creates a new file: Wireless_Cert.pem
    openssl pkcs12 -in c:\temp\Wireless_Cert.pfx -out c:\temp\Wireless_Cert.pem -nokeys -clcerts
  • Run the following commands. They should produce the same checksum if all has gone well:openssl x509 -noout -modulus -in c:\temp\Wireless_Cert.pem | openssl md5
    openssl rsa -noout -modulus -in c:\temp\Wireless_Cert_s.key  | openssl md5

You will now have a file called : c:\temp\Wireless_Cert.pem which will be the subject of stage 2 of our process.

Stage 2

In this stage, we combine the pem file from stage one with the (unencrypted) key file to create our final pem file.

Following on from our previous conventions, execute the following commands from a DOS command line. Note that the import password from the previous stage is required and embedded in the commands below, indicated by ‘xxxxxx’ :

  • Combine the .pem file and key file - a new file is created : c:\temp\All-certs.p12

    openssl pkcs12 -export -in c:\temp\Wireless_Cert.pem -inkey c:\temp\Wireless_Cert_s.key -out c:\temp\All-certs.p12 -clcerts -passin pass:xxxxxx -passout pass:xxxxxx
  • Create the final pem file: c:\temp\final-cert.pem
    openssl pkcs12 -in c:\temp\All-certs.p12 -out c:\temp\final-cert.pem -passin pass:xxxxxx -passout pass:xxxxxx

The final file that is created is: c:\temp\final-cert.pem, which is the file imported in to the WLC, as described in the original Cisco configuration document

Don’t forget that all of the steps described above can be found in the following couple of documents, if you should need them for reference: