Configuring the sub-CA

The following section describes how to set up a sub-CA on a WLC. These steps assume that the device has been reset, that you have commissioned the device in the standard manner, and that you have set the correct time.

Login to your device via WEBconfig or the command line.
Navigate to the menu Setup > Certificates > SCEP-CA and set the parameter Root-CA to No.
Navigate to the menu Setup > Certificates > SCEP-CA > CA-Certificates. Customize the name of the certificate authority (CA) and the registration authority (RA) with the parameters CA-Distinguished-Name and RA-Distinguished-Name.

Example: /CN=WLC-SUB CA/O=LANCOM SYSTEMS/C=DE
Switch to the menu Setup > Certificates > SCEP-CA > Sub-CA and enter the distinguished name of the root-CA under the parameter CADN.

Example: /CN=WLC-MAIN CA/O=LANCOM SYSTEMS/C=DE
For the parameter Challenge-Pwd , enter the challenge password that is stored on WLC-MAIN under Setup > Certificates > SCEP-CA.
Enter the URL (address) to the root CA in the CA-Url-address parameter.
If another WLC with the LCOS operating system provides the root CA, all you need to do is replace the IP address in the default value with the address where the corresponding device is to be reached. Example: http://192.168.1.1/cgi-bin/pkiclient.exe.
Optional: Specify the Ext-Key-Usage and Cert-Key Usage to restrict the functions of the sub-CA. For more information, see the Menu Reference Guide.
Set the parameter Auto-generated-request to Yes to activate the sub-CA.
Navigate to the menu Setup > Certificates > SCEP-CA and set the parameter Operating to Yes to enable the CA server with SCEP.

You have now completed the configuration of the sub-CA. The command show ca cert on the command line allows you to verify that the WLC has created the certificate correctly. The hierarchy of certificates must be visible here: The WLC first displays the certificate of the root CA and then the certificate of the sub-CA.