Locally Significant Certificates

• Information About Locally Significant Certificates (LSC), on page 1

• Provisioning Locally Significant Certificates, on page 3
• Verifying LSC Configuration, on page 12
• Configuring Management TrustPoint to LSC (GUI), on page 12
• Configuring Management TrustPoint to LSC (CLI), on page 13

Information About Locally Significant Certificates (LSC)

This module explains how to configure the Cisco Catalyst 9800 Series Wireless Controller and Lightweight
Access Points (LAPs) to use the Locally Significant Certificate (LSC). If you choose the Public Key
Infrastructure (PKI) with LSC, you can generate the LSC on APs and controllers. You can then use the
certificates to mutually authenticate the controller and AP.
In Cisco controllers, you can configure the controller to use an LSC. You can use LSC, if you want your own
PKI to provide better security, have control of your Certificate Authority (CA), and define policies, restrictions,
and usages on the generated certificates.
You need to provision the new LSC certificate on the controller and then the Lightweight Access Point (LAP)
from the Certificate Authority (CA) Server.
The LAP communicates with the controller using the CAPWAP protocol. Any requests to sign the certificate
and issue the CA certificates for LAP and controller itself must be initiated from the controller. The LAP does
not communicate directly with the CA server. The CA server details must be configured on the controller and
must be reachable.
The controller makes use of the Simple Certificate Enrollment Protocol (SCEP) to forward certReqs generated
on the devices to the CA and makes use of SCEP again to get the signed certificates from the CA.
The SCEP is a certificate management protocol that the PKI clients and Certificate Authority servers use to
support certificate enrollment and revocation. It is widely used in Cisco and supported by many CA-Servers.
In the SCEP protocol, HTTP is used as the transport protocol for the PKI messages. The primary goal of SCEP
is the secure issuance of certificates to network devices. SCEP is capable of many operations, but for our
release, SCEP is utilized for the following operations:
• CA and RA Public Key Distribution
• Certificate Enrollment

Locally Significant Certificates

1
 Locally Significant Certificates
Certificate Provisioning on Controllers

Certificate Provisioning on Controllers

The new LSC certificates, both CA and Device certificates must be installed on the controller.
With the SCEP protocol, the CA certificates are received from the CA server. During this point, there are no
certificates in the controller, this is a clear Get Operation. These are installed on the controller. The same CA
certificates are also pushed to the APs when the APs are provisioned with LSCs.

Preventing the Expiry of Manufacturing Installed Certificate

To prevent Manufacturing Installed Certificate (MIC) certificate-expiry failures, ensure that you configure a
policy as shown below:
• Create a certificate map and add the rules.
configure terminal
crypto pki certificate map map1 1
issuer-name co Cisco Manufacturing CA

Note You can add more rules and filters under the same map. The rule mentioned in
the above configuration specifies that any certificate whose issuer-name contains
Cisco Manufacturing CA (case insensitive) is selected under this map.

• Use the certificate map under the trustpool policy.

configure terminal
crypto pki trustpool policy
match certificate map1 allow expired-certificate

Device Certificate Enrollment Operation

For both LAP and controller that requests a CA signed certificate, the certRequest is sent as a PKCS#10
message. The certRequest contains the Subject Name, Public Key, and other attributes to be included in the
X.509 certificate, and digitally signed by the PrivateKey of the requester. These are then sent to the CA, which
transforms the certRequest into an X.509 certificate.
The CA that receives a PKCS#10 certRequest requires additional information to authenticate the requester
identity and verify if the request is unaltered. Many a times PKCS#10 is combined with other approaches,
such as PKCS#7 to send and receive the certificate request or response.
Here, the PKCS#10 is wrapped in a PKCS#7 SignedData message type. This is supported as part of the SCEP
client functionality, while the PKCSReq message is sent to the controller. Upon successful enrollment operation,
both CA and Device certificates are now available on the controller.

Certificate Provisioning on Lightweight Access Point

In order to provision a new certificate on LAP, while in CAPWAP mode the LAP must be able to get the new
signed X.509 certificate. In order to do this, it sends a certRequest to the controller, which acts as a CA-proxy
and helps obtain the certRequest signed by the CA for the LAP.
The certReq and the certResponses are sent to the LAP with the LWAPP payloads.

Locally Significant Certificates

2
 Locally Significant Certificates
Provisioning Locally Significant Certificates

Both the LSC CA and the LAP Device certificates are installed in the LAP, and the system self-reboots. The
next time it comes up, since it is configured to use LSCs, the AP sends the LSC Device Certificate to the
controller as part of the JOIN Request. As part of the JOIN Response, the controller sends the new Device
certificate and also validates the inbound LAP certificate with the new CA Root Certificate.

Note The LSC is supported on the controller and all Cisco Aironet Access Points.

Also, the LSC is enabled on the controller (GUI and CLI).

What to Do Next
To configure, authorize, and manage certificate enrollment with the existing PKI infrastructure for controller
and AP, you need to use the LSC provisioning.

Provisioning Locally Significant Certificates

Configuring RSA Key for PKI Trustpoint
Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Device# configure terminal

Step 2 crypto key generate rsa exportable Configures RSA key for PKI trustpoint.
general-keys modulus key_size label RSA_key
• For the key_size, enter the size of the key
Example: modulus. The valid range is from 360 to
Device(config)# crypto key generate rsa 4096.
exportable general-keys modulus 2048
label ewlc-tp1 • For the RSA_key, enter the RSA key pair
label.

Step 3 end Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit
Example:
global configuration mode.
Device(config)# end

Locally Significant Certificates

3
 Locally Significant Certificates
Configuring PKI TrustPoint Parameters

Configuring PKI TrustPoint Parameters

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Device# configure terminal

Step 2 crypto pki trustpoint trustpoint_name Creates a new trust point for an external CA
server. Here, trustpoint_name refers to the
Example:
trustpoint name.
Device(config)# crypto pki trustpoint
microsoft-ca

Step 3 enrollment url HTTP_URL Enrolls trustpoint using the trustpoint

enrollment parameters.
Example:
Device(ca-trustpoint)# enrollment url
http://CA_server/certsrv/mscep/mscep.dll

Step 4 subject-name subject_name Creates subject name parameters for the

trustpoint.
Example:
Device(ca-trustpoint)# subject-name C=IN,
ST=KA, L=Bengaluru, O=Cisco,
CN=eagle-eye/[email protected]

Step 5 rsakeypair RSA_key key_size Maps RSA key with that of the trustpoint.
Example: • RSA_key—Refers to the RSA key pair
Device(ca-trustpoint)# rsakeypair label.
ewlc-tp1
• key_size—Refers to the signature key
length. Range is from 360 to 4096.

Step 6 revocation {crl | none | ocsp} Checks revocation.

Example:
Device(ca-trustpoint)# revocation none

Step 7 end Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit
Example:
global configuration mode.
Device(ca-trustpoint)# end

Locally Significant Certificates

4
 Locally Significant Certificates
Authenticating and Enrolling the PKI TrustPoint with CA Server (GUI)

Authenticating and Enrolling the PKI TrustPoint with CA Server (GUI)

Procedure

Step 1 Choose Configuration > Security > PKI Management.

Step 2 In the Trustpoint section, click Add.
Step 3 Enter a trustpoint label and enrollment URL.
Step 4 Check the Authenticate check box to authenticate the trustpoint label.
Step 5 In the Subject Name section, enter the country code, state, location, organisation, domain name, and email
address.
Step 6 Check the Key Generated check box to view the available RSA keypairs. You can choose from the Available
RSA Keypairs drop-down list.
Step 7 Check the Enroll Trustpoint check box, and enter the password and confirm the same as well.
Step 8 Click Save & Apply to Device.

Authenticating and Enrolling the PKI TrustPoint with CA Server (CLI)

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Device# configure terminal

Step 2 crypto pki authenticate trustpoint_name Fetches the CA certificate.

Example:
Device(config)# crypto pki authenticate
microsoft-ca

Step 3 yes
Example:
Device(config)# % Do you accept this
certificate? [yes/no]: yes
Trustpoint CA certificate accepted.

Step 4 crypto pki enroll trustpoint_name Enroll for client certificate.

Example:
Device(config)# crypto pki enroll
microsoft-ca
%
% Start certificate enrollment ..
% Create a challenge password. You will
need to verbally provide this
password to the CA Administrator in

Locally Significant Certificates

5
 Locally Significant Certificates
Configuring AP Join Attempts with LSC Certificate (GUI)

Command or Action Purpose

order to revoke your certificate.
For security reasons your password will
not be saved in the configuration.
Please make a note of it.

Step 5 password Enter any password.

Example:
Device(config)# abcd123

Step 6 password Re-enter the password.

Example:
Device(config)# abcd123

Step 7 yes
Example:
Device(config)# % Include the router
serial number in the subject name?
[yes/no]: yes

Step 8 no
Example:
Device(config)# % Include an IP address
in the subject name? [no]: no

Step 9 yes
Example:
Device(config)#
Request certificate from CA? [yes/no]:
yes
% Certificate request sent to
Certificate Authority
% The 'show crypto pki certificate
verbose client' commandwill show the
fingerprint.

Step 10 end Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit
Example:
global configuration mode.
Device(config)# end

Configuring AP Join Attempts with LSC Certificate (GUI)

Procedure

Step 1 Choose Configuration > Wireless > Access Points.

Step 2 On the All Access Points page, click the LSC Provision name.
Step 3 Use the Status drop-down to enable LSC.

Locally Significant Certificates

6
 Locally Significant Certificates
Configuring AP Join Attempts with LSC Certificate (CLI)

Step 4 Use the Trustpoint Name drop-down to search or select the trustpoint.
Step 5 In the Number of Join Attempts field, enter the retry attempts.
Step 6 Click Apply.

Configuring AP Join Attempts with LSC Certificate (CLI)

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Device# configure terminal

Step 2 ap lsc-provision join-attempt Specifies the number of AP join attempts with

number_of_attempts the newly provisioned LSC certificate.
Example: When the number of AP joins exceed the
Device(config)# ap lsc-provision specified limit, AP joins back with the MIC
join-attempt 10 certificate.

Step 3 end Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit
Example:
global configuration mode.
Device(config)# end

Configuring Subject-Name Parameters in LSC Certificate

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Device# configure terminal

Step 2 ap lsc-provision subject-name-parameter Specifies the attributes to be included in the

country country-str state state-str city city-str subject-name of the certificate request generated
domain domain-str org org-str email-address by an AP.
email-addr-str
Example:
Device(config)# ap lsc-provision
subject-name-parameter country India
state Karnataka city Bangalore domain
domain1 org Right email-address
[email protected]

Locally Significant Certificates

7
 Locally Significant Certificates
Configuring Key Size for LSC Certificate

Command or Action Purpose

Step 3 end Returns to privileged EXEC mode.
Alternatively, you can also press Ctrl-Z to exit
Example:
global configuration mode.
Device(config)# end

Configuring Key Size for LSC Certificate

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Device# configure terminal

Step 2 ap lsc-provision key-size{1024 | 2048} Specifies the size of keys to be generated for
the LSC certificate on AP.
Example:
Device(config)# ap lsc-provision key-size
1024

Step 3 end Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit
Example:
global configuration mode.
Device(config)# end

Configuring TrustPoint for LSC Provisioning on Access Point

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Device# configure terminal

Step 2 ap lsc-provision trustpoint tp-name Specifies the trustpoint with which the LCS is
provisioned to AP.
Example:
Device(config)# ap lsc-provision Here, tp-name refers to the trustpoint name.
trustpoint microsoft-ca

Step 3 end Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit
Example:
global configuration mode.
Device(config)# end

Locally Significant Certificates

8
 Locally Significant Certificates
Configuring AP LSC Provision List (GUI)

Configuring AP LSC Provision List (GUI)

Procedure

Step 1 Choose Configuration > Wireless > Access Points.

Step 2 On the All Access Points page, click the LSC Provision name.
Step 3 Use the Status drop-down to enable LSC.
Step 4 Use the Trustpoint Name drop-down to search or select the trustpoint.
Step 5 In the Number of Join Attempts field, enter the retry attempts.
Step 6 Use the Key Size drop-down to select the key.
Step 7
Step 8 In the Edit AP Join Profile window, click the CAPWAP tab.
Step 9 In the Add APs to LSC Provision List section, use the Select File option to upload a CSV file that contains
AP details. After selecting the file, click Upload File.
Step 10 You can also use the AP MAC Address field to search for APs using the MAC address and add them. The
APs added to the provision list are displayed in the APs in provision List list-box.
Step 11 In the Subject Name Parameters section, enter the following details:
• Country
• State
• City
• Organisation
• Department
• Email Address

Step 12 Click Apply.

Configuring AP LSC Provision List (CLI)

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Device# configure terminal

Step 2 [no] ap lsc-provision mac-address mac-addr Adds the access point to the LSC provision list.
Example:

Locally Significant Certificates

9
 Locally Significant Certificates
Configuring LSC Provisioning for all Access Points (GUI)

Command or Action Purpose

Device(config)# no ap lsc-provision Note You can provision a list of APs using
mac-address 001b.3400.02f0 the ap lsc-provision provision-list
command.
(Or)
You can provision all APs using the
ap lsc-provision command.

Step 3 end Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit
Example:
global configuration mode.
Device(config)# end

Configuring LSC Provisioning for all Access Points (GUI)

Procedure

Step 1 Choose Configuration > Wireless > Access Points.

Step 2 On the Access Points page, expand the LSC Provision section.
Step 3 Set the Status to Enabled state.
If you set the Status to Provision List, the LSC provisioning will be configured only for APs that are part of
the provision list.

Step 4 From the Trustpoint Name drop-down list, select the appropriate trustpoint for all APs.
Step 5 In the Number of Join Attempts field, enter the number of retry attempts that the APs can make to join the
controller.
Step 6 From the Key Size drop-down list, select the appropriate key size of the certificate from the following options:
• 2048
• 3072
• 4096

Step 7 In the Add APs to LSC Provision List section, click Select File option to upload a CSV file that contains
the AP details. After selecting the file, click Upload File.
Step 8 In the AP MAC Address field, enter the AP MAC address to search for APs and add them. The APs added
to the provision list are displayed in the APs in Provision List section.
Step 9 In the Subject Name Parameters section, enter the following details:
a. Country
b. State
c. City
d. Organization
e. Department

Locally Significant Certificates

10
 Locally Significant Certificates
Configuring LSC Provisioning for all Access Points (CLI)

f. Email Address

Step 10 Click Apply.

Configuring LSC Provisioning for all Access Points (CLI)

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Device# configure terminal

Step 2 [no] ap lsc-provision Enables LSC provisioning for all access points.
Example: By default, the LSC provisioning is disabled
Device(config)# no ap lsc-provision for all APs.

Step 3 end Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit
Example:
global configuration mode.
Device(config)# end

Configuring LSC Provisioning for Access Points in Provision List

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Device# configure terminal

Step 2 ap lsc-provision provision-list Enables LSC provisioning for a set of access

points configured in the provision list.
Example:
Device(config)# ap lsc-provision
provision-list

Step 3 end Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit
Example:
global configuration mode.
Device(config)# end

Locally Significant Certificates

11
 Locally Significant Certificates
Verifying LSC Configuration

Verifying LSC Configuration

To view details of the wireless management trustpoint, use the following command:
Device# show wireless management trustpoint

Trustpoint Name : microsoft-ca

Certificate Info : Available
Certificate Type : LSC
Certificate Hash : 9e5623adba5307facf778e6ea2f5082877ea4beb
Private key Info : Available

To view the LSC-provision related configuration details for an AP, use the following command:
Device# show ap lsc-provision summary

AP LSC-provisioning : Disabled
Trustpoint used for LSC-provisioning : microsoft-ca
LSC Revert Count in AP reboots : 10

AP LSC Parameters :
Country : IN
State : KA
City : BLR
Orgn : ABC
Dept : ABC
Email : [email protected]
Key Size : 2048

AP LSC-provision List : Enabled

Total number of APs in provision list: 3

Mac Address
-----------
0038.df24.5fd0
2c5a.0f22.d4ca
e4c7.22cd.b74f

Configuring Management TrustPoint to LSC (GUI)

Procedure

Step 1 Choose Administration > Management > HTTP/HTTPS.

Step 2 In the HTTP Trust Point Configuration section, set the Enable Trust Point field to Enabled state.
Step 3 From the Trust Points drop-down list, choose the appropriate trust point.
Step 4 Save the configuration.

Locally Significant Certificates

12
 Locally Significant Certificates
Configuring Management TrustPoint to LSC (CLI)

Configuring Management TrustPoint to LSC (CLI)

After LSC provisioning, the APs will automatically reboot and join at the LSC mode after bootup. Similarly,
removing the AP LSC provisioning, the APs will reboot and join at non-LSC mode.

Procedure

Command or Action Purpose

Step 1 configure terminal Enters global configuration mode.
Example:
Device# configure terminal

Step 2 wireless management trustpoint Configures the management trustpoint to LSC.

trustpoint_name
Example:
Device(config)# wireless management
trustpoint microsoft-ca

Step 3 end Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit
Example:
global configuration mode.
Device(config)# end

Locally Significant Certificates

13
 Locally Significant Certificates
Configuring Management TrustPoint to LSC (CLI)

Locally Significant Certificates

14