Syslog Error message
Dec 31 18:32:04.072: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain
validation has failed. The certificate (SN: 0159BC17) has expired. Validity
period ended on 2027-02-23T22:32:59ZDec 31 18:32:04.073:
%CERT_MGR_ERRMSG-3-CERT_VALIDATION_ERR: Chassis 1 R0/0: wncd: Certificate
Validation Error, Cert validation
status:pki_ssl_status@pki_ssl_status:PKI_SSL_ERRORDec 31 18:32:04.073:
%DTLS_TRACE_MSG-3-WLC_DTLS_ERR: Chassis 1 R0/0: wncd: DTLS Error,
session:9.10.30.117[5256] MAC: 70db.9888.cc20, Certificate validation
failed
Possible Cause
AP is trying to join the controller using an expired certificate.
Recommended Solution:
Allow APs to join with expired certificates by configuring policy maps
1. Create a certificate map and add the rules.
Device#configure terminal
Device(config)#crypto pki certificate map map1 1
Device(config)issuer-name co (issuer-name of AP/mobility peer's cert)
Example:
Device#configure terminal
Device(config)#crypto pki certificate map map1 1
Device(config)#issuer-name co Cisco Manufacturing CA
2. Allow this policy-map to validate expired certs, under the trustpool policy.
Device#configure terminal
Device(config)#crypto pki certificate map map1 2
Device(config)issuer-name co act2 sudi ca
Device#configure terminal
Device(config)#crypto pki trustpool policy
Device(config)#match certificate map1 allow expired-certificate
Table 1: Additional Debug Commands
DescriptionCommand
Displays debugging messages related to public key
infrastructure (PKI) path validation.
debug crypto pki validation
Displays debugging messages related to public key
infrastructure (PKI) certificates.
debug crypto pki transactions
Displays debugging messages related to encrypted ssl
packets for DTLS events.
debug crypto ssl dtls events
Displays debugging messages related to encrypted ssl
packets for DTLS errors.
debug crypto ssl dtls errors
Displays debugging messages related to encrypted ssl
packets for DTLS packet dump.
debug crypto ssl dtls packets
Troubleshoot Common Issues for Certificate Configuration
4
Troubleshoot Common Issues for Certificate Configuration