How to Install SSL Certificate to Cisco WLC 9800
SSL certificates are essential for securing HTTPS connections on Cisco WLC 9800. They are also needed if you plan on using a captive portal solution like Spotipo with your WLC 9800 controller. This guide will walk you through the process of generating a .p12 certificate and installing it on the WLC 9800.
Before you begin, ensure you have the following files from your Certificate Authority (CA) for your domain:
Private Key: private.key
Server Certificate: servercert.crt
Certificate Chain (Intermediate & Root Certificates): bundle.ca-bundle
If your CA provides separate intermediate and root certificates, you can concatenate them into a single bundle:
Ideally, this should be done with a wildcard certificate (*.domain.com), so that you can use multiple dns entries for your virtual host names if needed (usually needed for External Captive Portal solutions like Spotipo)
Download OpenSSL from the following link and install it:
https://slproweb.com/products/Win32OpenSSL.html
Install OpenSSL using the following command:
The easiest way to import a certificate to Cisco WLC 9800 is by creating one in a PKCS#12 (.p12) format. Use OpenSSL to convert your certificates:
Note: You need to be in the folder where the files are located before you start using openSSL commands. This can be achieved with the cd /example/folder/ command.
It is necessary to use both -legacy and -aes256 commands, as that is the only way a certificate will be accepted by WLC.
When prompted, enter a strong export password (this will be required during the WLC import step).
Once you have the .p12 file, follow these steps to upload and configure it on the Cisco WLC:
Navigate to WLC Web UI → Configuration → Security → PKI Management
Click Add Certificate menu
Select Import PKCS12 Certificate
Select Transport Type as Desktop HTTPS if the file is located on your local machine (we will use that as an example)
Upload the .p12 file and enter the export password from the OpenSSL step
Click Import
If everything was imported correctly, then you should get a green checkmark.


Go to Administration → Management → HTTP/HTTPS/Netconf/VTY
Under Trust Points, select the newly imported certificate.

Go to Configuration → Security → Web Auth
Select Global policy, even if not using it directly for your Captive portal
Under Trustpoint, select the newly imported certificate


After installing the certificate, test it:
Access the WLC web interface over HTTPS and check for any certificate warnings.
Spotipo is one of the few captive portal providers that fully support Cisco WLC 9800, ensuring a seamless and secure Wi-Fi onboarding experience for users.
For a step-by-step guide on setting up Spotipo with Cisco WLC, check out our Spotipo & WLC Integration Guide. You can also start a 2 week free trial and explore how Spotipo can enhance your Wi-Fi experience here.
Prerequisites
Before you begin, ensure you have the following files from your Certificate Authority (CA) for your domain:
Private Key: private.key
Server Certificate: servercert.crt
Certificate Chain (Intermediate & Root Certificates): bundle.ca-bundle
If your CA provides separate intermediate and root certificates, you can concatenate them into a single bundle:
cat intermediate.crt root.crt > bundle.ca-bundle
Ideally, this should be done with a wildcard certificate (*.domain.com), so that you can use multiple dns entries for your virtual host names if needed (usually needed for External Captive Portal solutions like Spotipo)
Installing OpenSSL
**Windows:**
Download OpenSSL from the following link and install it:
https://slproweb.com/products/Win32OpenSSL.html
**Linux (Ubuntu/Debian):**
Install OpenSSL using the following command:
sudo apt update && sudo apt install openssl -y
Exporting the Certificate as a .p12 File
The easiest way to import a certificate to Cisco WLC 9800 is by creating one in a PKCS#12 (.p12) format. Use OpenSSL to convert your certificates:
Note: You need to be in the folder where the files are located before you start using openSSL commands. This can be achieved with the cd /example/folder/ command.
openssl pkcs12 -export \
-inkey private.key \
-in servercert.crt \
-certfile bundle.ca-bundle \
-legacy \
-aes256 \
-out servercert.p12
It is necessary to use both -legacy and -aes256 commands, as that is the only way a certificate will be accepted by WLC.
When prompted, enter a strong export password (this will be required during the WLC import step).
Installing the Certificate on Cisco WLC 9800
Once you have the .p12 file, follow these steps to upload and configure it on the Cisco WLC:
**1. Upload the Certificate to the WLC**
Navigate to WLC Web UI → Configuration → Security → PKI Management
Click Add Certificate menu
Select Import PKCS12 Certificate
Select Transport Type as Desktop HTTPS if the file is located on your local machine (we will use that as an example)
Upload the .p12 file and enter the export password from the OpenSSL step
Click Import
If everything was imported correctly, then you should get a green checkmark.


**2.1. Assign the Certificate to Web Admin**
Go to Administration → Management → HTTP/HTTPS/Netconf/VTY
Under Trust Points, select the newly imported certificate.

**2.2. Assign the Certificate to Web Auth (if using Spotipo or other Captive portals)**
Go to Configuration → Security → Web Auth
Select Global policy, even if not using it directly for your Captive portal
Under Trustpoint, select the newly imported certificate


**3. Verify Installation**
After installing the certificate, test it:
Access the WLC web interface over HTTPS and check for any certificate warnings.
Integrating Spotipo with Cisco WLC 9800
Spotipo is one of the few captive portal providers that fully support Cisco WLC 9800, ensuring a seamless and secure Wi-Fi onboarding experience for users.
For a step-by-step guide on setting up Spotipo with Cisco WLC, check out our Spotipo & WLC Integration Guide. You can also start a 2 week free trial and explore how Spotipo can enhance your Wi-Fi experience here.
Updated on: 11/03/2025
Thank you!