Wireless Access

New Contributor

Certificate error when provisioning AP as RAP

Hello everyone.  I'm trying to configure an AP205H as a RAP using certificate based authentication which is how we've configured every other RAP we own.  We've just recently migrated the master role off our 6000 controllers which is where all our other RAPs were provisioned to 7220s which have been serving as our local controllers.  I keep getting the following error when I attempt to provision the AP. 

"IKE_CUSTOM_useCert server Cert chain for  is invalid"


Both the root and intermediate CA have been installed on the controllers so I'm not sure what cert chain it's complaining about.  The RAP MAC address is in the Whitelist and I've configured and address pool under VPN Services.  I've already looked at several docs to see if I'm missing something incredibly obvious and didn't find anything.  Can anyone provide some guidance?  

Re: Certificate error when provisioning AP as RAP

Are you using a custom cert for RAP authentication (as opposed to the factory shipped cert)? You will also need to configure the RAP to use the cert


(host) (config) #crypto-local isakmp server-certificate

To add the CA certificate to verify the RAP certificate:

(host) (config) #crypto-local isakmp ca-certificate <trusted CA>

Further info can be found here :



If my post addresses your query, give kudos:)
New Contributor

Re: Certificate error when provisioning AP as RAP

I have a custom cert on the WebUI but I haven't configured anything custom for the RAP. 

New Contributor

Re: Certificate error when provisioning AP as RAP

I ended up opening a case with TAC and apparently the TPM cert was corrupt on our controller.

Search Airheads
Showing results for 
Search instead for 
Did you mean: