Symptom

Generate and Download CSR Certificates on Catalyst 9800 WLCs document has a missing step which confuses customers: Step 4b : Authenticate multi-level CA Steps are as follow: 9800(config)#crypto pki trustpoint Inter2 <<< This is the trustpoint for the 1st intermediate CA (from top of the chain) 9800(ca-trustpoint)#chain-validation continue RootCA <<< This is the trustpoint created above 9800(config)#crypto pki authenticate Inter2 Fails with "*% You must specify an enrollment URL for this CA before you can authenticate it." Should be: 9800(config)#crypto pki trustpoint Inter2 <<< This is the trustpoint for the 1st intermediate CA (from top of the chain) 9800(ca-trustpoint)#enrollment terminal 9800(ca-trustpoint)#chain-validation continue RootCA <<< This is the trustpoint created above 9800(config)#crypto pki authenticate Inter2

Conditions

WLC 9800 following the configuration guide https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213917-generate-csr-for-third-party-certificate.html

Workaround

See symptoms for workaround

Further Problem Description