Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
0
Helpful
6
Replies

Certificate install issue WLC DNA

Go to solution
glsparks
Level 1
Level 1

‎02-09-2024 07:05 AM

For some reason one of our pair of WLC 9800 will not accept DNAC-CA certificate.

A sync or push of telemetry from DNA fails. All our other devices are fine.

If we try a CLI import of the certificate we get this:

Trustpoint 'DNAC-CA' is a subordinate CA.
Authentication failed - could not validate certificate
% Error in saving certificate: status = FAIL

Any ideas why this is happening on this one device?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
glsparks
Level 1
Level 1

‎02-13-2024 12:29 AM

Finally figured this out after some extensive debugging. Basically it was two issues. The WLC was unable to do a Certificate Revocation check and the full cert chain was not in the cert being uploaded. Once they were addressed it uploaded fine.

View solution in original post

0 Helpful

Go to solution
glsparks
Level 1
Level 1
In response to Captain82

‎04-25-2024 12:04 AM

As I recall it i deleted the existing trustpoint DNAC-CA.

Recreated it with the line "revocation-check crl none" e.g.

crypto pki trustpoint DNAC-CA
enrollment mode ra
enrollment terminal
usage ssl-client
revocation-check crl none
source interface GigabitEthernet0

 

Then manually imported the full cert chain.

DNA error then cleared and telemetry came in.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
rasmus.elmholt
Level 7
Level 7

‎02-12-2024 02:18 AM

Do you have port http/80 open from the WLC to the DNAC?

0 Helpful

Go to solution
glsparks
Level 1
Level 1
In response to rasmus.elmholt

‎02-12-2024 02:48 AM

Yes the port is open. A debug isn't giving anything useful either unfortunately.

0 Helpful

Go to solution
LC.IT
Level 1
Level 1

‎02-12-2024 05:28 PM

Did you configure default aaa methods for authentication and authorization on C9800?

aaa authentication login default local (or group)
aaa authorization exec default local (or group)

0 Helpful

Go to solution
glsparks
Level 1
Level 1

‎02-13-2024 12:29 AM

Finally figured this out after some extensive debugging. Basically it was two issues. The WLC was unable to do a Certificate Revocation check and the full cert chain was not in the cert being uploaded. Once they were addressed it uploaded fine.

0 Helpful

Go to solution
Captain82
Level 1
Level 1
In response to glsparks

‎04-24-2024 05:07 PM

How did you address/fix those issues?

0 Helpful

Go to solution
glsparks
Level 1
Level 1
In response to Captain82

‎04-25-2024 12:04 AM

As I recall it i deleted the existing trustpoint DNAC-CA.

Recreated it with the line "revocation-check crl none" e.g.

crypto pki trustpoint DNAC-CA
enrollment mode ra
enrollment terminal
usage ssl-client
revocation-check crl none
source interface GigabitEthernet0

 

Then manually imported the full cert chain.

DNA error then cleared and telemetry came in.

0 Helpful
Customers Also Viewed These Support Documents