Cisco Systems OL-7426-03

5/26/05 Adding SSL to the Web User Interface

OL-7426-03

Externally-Generated CertificateExternally-Generated Certificate

Should you desire to use your own Web Administration SSL certificate, complete the following:

•Make sure you have a TFTP server available for the certificate download:

-If you are downloading through the Service port, the TFTP server MUST be on the same

subnet as the Service port, because the Service port is not routable.

-If you are downloading through the DS (Distribution System) network port, the TFTP

server can be on the same or a different subnet, because the DS port is routable.

•Buy or create your own Web Administration SSL key and certificate. If not already done, use a

password, <private_key_password>, to encrypt the key and certificate in a .PEM encoded file.

The PEM-encoded file is called a Web Administration Certificate file

(<webadmincert_name>.pem).

•Move the <webadmincert_name>.pem file to the default directory on your TFTP server.

•Refer to the Using the Cisco WLAN Solution CLI section to connect and use the CLI.

•In the CLI, use the transfer download start command, and answer ‘n’ to the prompt, to view

the current download settings:

>transfer download start

Mode........................................... TFTP

Data Type...................................... Admin Cert

TFTP Server IP................................. xxx.xxx.xxx.xxx

TFTP Path...................................... <directory path>

TFTP Filename..................................

Are you sure you want to start? (y/n) n

Transfer Canceled

•To change the download settings, use the following:

>transfer download mode tftp

>transfer download datatype webauthcert

>transfer download serverip <TFTP server IP address>

>transfer download path <absolute TFTP server path to the update file>

>transfer download filename <webadmincert_name>.pem

Note: The TFTP server cannot run on the same computer as the Cisco Wireless

Control System, because the Cisco WCS and the TFTP server use the same commu-

nication port.

CAUTION: Each certificate has a variable-length embedded RSA Key. The RSA key

can be from 512 bits, which is relatively insecure, through thousands of bits, which is

very secure. When you are obtaining a new certificate from a Certificate Authority

(such as the Microsoft CA), MAKE SURE the RSA key embedded in the certificate is

AT LEAST 768 Bits.

Note: Some TFTP servers require only a forward slash “/” as the <TFTP server IP

address>, and the TFTP server automatically determines the path to the correct

directory.