Troubleshoot Common Issues for Certificate

Configuration

The following lists the common problems and resolution related to certificates. If your solution is not listed

here, use the commands listed below to debug further.

Configuring the CA server "Failure Reason: Time has not been set. Cannot start the Certificate Server "

Possible Cause

Clock is not set on the controller.

Recommended Solution

Set the clock on 9800 using the command.

Error message “This certificate is not trusted”

Possible Cause

Missing entries in certificate chain.

Recommended Solution:

Build a chain of certificates beginning with the certificate of the CA that issued the controller certificate on

the controller. Include all the CA certificates and place the trusted CA certificate on top. You must place the

entire chain in the same file. This means your file contains content such as this example:

--- BEGIN CERTIFICATE ---

*device certificate*

--- END CERTIFICATE ---

*Root CA certificate*

--- END CERTIFICATE ---

Trying to import a PKCS12 certificate which is missing the CA

Possible Cause

The pfx file might not contain the entire chain.

Recommended Solution:

Use the command to troubleshoot certificate issues.

Device#debug crypto pki transactions

1. Export the private key out.

openssl pkcs12 -in <pkcs12 file> -out cert.key -nocerts -nodes

openssl pkcs12 -export -out fixedcertchain.pfx -inkey cert.key -in certificate.pem -

certfile CA.pem

5. Import the “fixedcertchain” to the Catalyst 9800. You must place the entire chain in the same file. This

means your file will contain content as below.

--- BEGIN CERTIFICATE ---

*device certificate*

--- END CERTIFICATE ---

--- BEGIN CERTIFICATE---

*intermediate CA certificate*

--- END CERTIFICATE ---

Certificate validity date or isssuer details is incorrect.

Recommended Solution:

Check details using

Device#show crypto pki certificates <cert-name>

Certificate

Status: Available

Certificate Serial Number (hex): 00A2020356CF31C818 Certificate Usage: General Purpose

Issuer:

cn=CA-KCG-lab

Name: *.lab-kcg.com

cn=*.lab-kcg.com

ou=lab-mex-wireless

o=mex-wireless

l=Benito Juarez

st=CDMX

c=MX

Validity Date:

start date: 17:14:54 UTC Feb 15 2018

end date: 17:14:54 UTC Mar 11 2023

In case the AP cannot join the controller, you can verify the if the trustpoint is corrrect

Physical controllers

show wireless management trustpoint

Trustpoint Name : CISCO_IDEVID_SUDI

Certificate Info : Available

Certificate Type : MIC

Private key Info : Available

FIPS suitability : Not Applicable

Virtual controllers

show wireless management trustpoint

FIPS suitability : Not Applicable

If required, remove the wireless management trustpoint for the controller to fall back on the SUDI trustpoint

using the following command in the global configuration mode.

Device(config)#no wireless management trustpoint

Syslog Error message

Dec 31 18:32:04.072: %PKI-3-CERTIFICATE_INVALID_EXPIRED: Certificate chain

validation has failed. The certificate (SN: 0159BC17) has expired. Validity

period ended on 2027-02-23T22:32:59ZDec 31 18:32:04.073:

%CERT_MGR_ERRMSG-3-CERT_VALIDATION_ERR: Chassis 1 R0/0: wncd: Certificate

Validation Error, Cert validation

Recommended Solution:

Allow APs to join with expired certificates by configuring policy maps

1. Create a certificate map and add the rules.

Device#configure terminal

Device(config)#crypto pki certificate map map1 1

Device(config)issuer-name co (issuer-name of AP/mobility peer's cert)

Example:

Device#configure terminal

Device(config)#crypto pki certificate map map1 1

Device(config)#issuer-name co Cisco Manufacturing CA

Device(config)#match certificate map1 allow expired-certificate