Generating and Installing Third Party SSL Certificate on a Cisco WLC


There is a process that I recently needed to use to install a third party SSL certificate on a Cisco WLC. This is a process that I have used multiple times in the past, so I wanted to document it for later because I know I will need to search the specific syntax myself. Hopefully you can benefit the next time you need to setup a third party webauth ssl certificate on a Cisco WLC. With that being said, here’s the process that I’ve used many times before.

The Process

First off, you need openssl in one form or another. In my case, I had a CentOS virtual server I remoted into. Then you need to generate the CSR that will be signed.


openssl req -new -newkey rsa:2048 -nodes -out wireless_test_com.csr -keyout wireless_test_com.key -subj "/C=US/ST=Ohio/L=Cleveland/O=TheRoutingTable/OU=Networking/"

Running that will generate the CSR and key on your server. Take that CSR and send it off to your SSL certificate authority like Thawte. Once they sign it, you will get back the signed SSL certificate and an intermediate cert. You may or may not get the root CA from the signing organization as well. If not, go ahead and download it from their site. Next, open all three certificates in notepad and combine them all into one. They need to be in a specific order though -> SSL Cert, Intermediate Cert, Root CA. I saved it as chainedcert.cer then. Then, you go back to openssl.

openssl pkcs12 -export -out wireless.pfx -inkey wireless_test_com.key -in chainedcert.cer

This converts the chained certificate to PKCS12 format. There is one final step then. The WLC wants the certificate in .pem format. This step converts the .pfx into a .pem certificate.

openssl pkcs12 -in wireless.pfx -out wireless-cert.pem

That leaves your wireless-cert.pem. Take this and download it to your WLC. This is done by opening the GUI and navigating to the WebAuth certificate page.

Security -> WebAuth -> Certificate

On this page, use the screen shown below to download your certificate from your server and install it on your WLC:

Then, as mentioned in the image above, you will need to reboot for the new WebAuth certificate to take effect. And that’s about it. Head back to the same page and verify that the new, signed certificate has installed successfully. Then you’re good to go!

If you have any questions, drop them below.


  1. Hi Kevin, I have my certs, first pulled from the wlc and then from the 3rd party. My extensions are .csr and not .pem. I cannot seem to find instruction on what to do.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.