General
we shouldnt see the certificate error isse and AP should able to join controller properly without any issues after upgrading to latest 17.9.3 image
Symptom
Certificate issues causing DTLS failures may be observed when joining APs to a 9800 using the new CMCA III certificate structure
AP console error:
display_verify_cert_status: Verify Cert: FAILED at 0 depth: unable to get local issuer certificate
Conditions
Issue is seen in 17.7.1 through 17.9.2
Workaround
workaround is to toggle wireless management trustpoint:
WLC#conf t
WLC(config)#wireless management trustpoint dummy
WLC(config)#no wireless management trustpoint dummy
WLC(config)#end
WLC#
Further Problem Description
From 17.7.1 onwards WLC and AP supports SUDI-2099 certificate.
If AP tries to join from older version then WLC will identify AP old version doesn't support SUDI-2099 and then presents SHA2-2037 SUDI in DTLS handshake.
There is a race-condition issue during bootup (when IOSd is busy) and SHA2-2037 loading in DTLS fails.
Once we toggle 'wireless management trustpoint ' configuration (set then remove) then SUDI cert loading will be retriggered in DTLS.
