5/26/05 Adding SSL to the Web User Interface
OL-7426-03
Externally-Generated CertificateExternally-Generated Certificate
Should you desire to use your own Web Administration SSL certificate, complete the following:
• Make sure you have a TFTP server available for the certificate download:
- If you are downloading through the Service port, the TFTP server MUST be on the same
subnet as the Service port, because the Service port is not routable.
- If you are downloading through the DS (Distribution System) network port, the TFTP
server can be on the same or a different subnet, because the DS port is routable.
• Buy or create your own Web Administration SSL key and certificate. If not already done, use a
password, <private_key_password>, to encrypt the key and certificate in a .PEM encoded file.
The PEM-encoded file is called a Web Administration Certificate file
(<webadmincert_name>.pem).
• Move the <webadmincert_name>.pem file to the default directory on your TFTP server.
• Refer to the Using the Cisco WLAN Solution CLI section to connect and use the CLI.
• In the CLI, use the transfer download start command, and answer ‘n’ to the prompt, to view
the current download settings:
>transfer download start
Mode........................................... TFTP
Data Type...................................... Admin Cert
TFTP Server IP................................. xxx.xxx.xxx.xxx
TFTP Path...................................... <directory path>
TFTP Filename..................................
Are you sure you want to start? (y/n)
n
Transfer Canceled
• To change the download settings, use the following:
>transfer download mode tftp
>transfer download datatype webauthcert
>transfer download serverip <TFTP server IP address>
>transfer download path <absolute TFTP server path to the update file>
>transfer download filename <webadmincert_name>.pem
Note: The TFTP server cannot run on the same computer as the Cisco Wireless
Control System, because the Cisco WCS and the TFTP server use the same commu-
nication port.
CAUTION: Each certificate has a variable-length embedded RSA Key. The RSA key
can be from 512 bits, which is relatively insecure, through thousands of bits, which is
very secure. When you are obtaining a new certificate from a Certificate Authority
(such as the Microsoft CA), MAKE SURE the RSA key embedded in the certificate is
AT LEAST 768 Bits.
Note: Some TFTP servers require only a forward slash “/” as the <TFTP server IP
address>, and the TFTP server automatically determines the path to the correct
directory.