• Skip to primary navigation
  • Skip to main content
site logo
  • About
    • Approach
    • Partnerships
    • Mission
    • Leadership
    • Awards
    • Arraya Cares
  • Solutions
    • Solutions

    • Hybrid Infrastructure
      • Hyperconverged
      • Infrastructure as a Service
      • Servers, Storage, and Virtualization
      • Data Protection
      • Disaster Recovery & Business Continuity
    • Apps & Data
      • AI
      • Automation
      • Customizations
      • Visualizations & Integrations
      • Migrations
    • Network
      • Enterprise Networks
      • Wireless Connectivity
      • Cloud Networking Solutions
      • IoT
    • Cybersecurity
      • Endpoint Security
      • Network Security
      • Cloud Security
      • Application Security
    • Modern Workplace
      • Microsoft Licensing
      • Productivity & Collaboration
      • Modern Endpoint Deployment & Management
      • Microsoft Compliance & Risk
      • Backup
      • Cloud
  • Services
    • Services

    • Managed Services
      • Service Desk
      • Outsourced IT
      • Managed Security
      • Managed NOC
      • Arraya Adaptive Management for Microsoft Technologies
      • ADEPT: Arraya's White Label Program
    • Advisory Services
      • Assessments
      • Strategy
      • vCTO
      • vCISO
      • Enterprise Architecture
    • Staffing
      • Infrastructure Engineering
      • Security & Compliance
      • Application & Software
    • Professional Services
      • Project Management 
      • Systems Integration 
      • Mergers & Acquisitions
      • Knowledge & Skills Transfer 
  • Industries
    • Education
    • Finance
    • Healthcare
    • Legal
    • Manufacturing
    • Software and Services
  • Insights
    • News
    • Blog
    • Events
    • Videos
    • Case studies
  • Careers
  • CSP Login
search icon
Contact Us

Expiring Certificates: How to Prevent Cisco 5508 WLC and AP Disruption

Does your organization have Cisco 5508 Wireless LAN Controllers (WLCs) deployed in its environment? If so, connectivity problems could be on the Cisco 5508 WLC and AP Disruption horizon. With the help of our Network and Security team, let’s explore the root cause of this issue. Then, we can turn to how to prevent it.

The basic rundown goes like this: Cisco APs and WLCs have Manufacturer-Installed Certificates (MICs) that are valid for 10 years. With the default configuration, if either MIC (AP or WLC) is not valid, the APs won’t be able to register to the controller. Care to take a guess when Cisco first began manufacturing the 5508 WLCs? Just a little over ten years ago, back in May 2009.

We actually covered the other side of this problem, involving expiring AP certificates, in a previous post on this blog. However, now it’s the WLCs’ turn. If your WLC MIC is expired, you may have a situation where your APs are working now, but if they were to reboot they wouldn’t be able to join the controller. In other words, they won’t work.

Cisco delivers a workaround: Will it work for you?

The good news is that Cisco has provided a workaround that will allow the AP to ignore the MIC expiration. To implement this workaround, issue the following command:

config ap cert-expiry-ignore mic enable

This allows your APs to join no matter which MIC is expired (AP or WLC). On the downside, there are some situations where this workaround will not be enough. For example:

  1. You have AP models 1800/2800/3800, AND
  2. You are running WLC code prior to 8.5, AND
  3. Your 5508 WLC MIC is expired or about to expire.

In this specific case, the workaround will not work. Those APs require 8.5 code for the workaround. If this is your situation, then upgrade the WLC to 8.5.151.0. Note: As of the time of writing, this is the code we recommend. Once the upgrade is complete, you can configure the workaround. Refer to this Bug ID for more info: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb93909/.

If you have legacy APs, such as the 1142 model, in addition to meeting each of the three above conditions, you’re going to run into a different problem. It’s worth noting that 8.5 may not support legacy apps, forcing you to do one of two things:

  1. Invest in new APs, or
  2. Reach out to Cisco TAC and hope they can provide you with the fix in 8.3 code for your no-longer-supported APs.

Next Steps: Let Arraya help keep your Cisco 5508 APs running

There is one other question we need to address in this post: How can you tell when your WLC MIC will expire? This is a pretty easy one to address. Simply issue the command “show certificate all” and look for the Validity End date for the “Cisco SHA1 device cert.” This will provide you with the info you need to move forward.

If you have any questions about APs, WLCs, or any of the topics covered in this post, please reach out to your account manager at Arraya or visit us online at https://www.arrayasolutions.com//contact-us/. Arraya’s Network and Security team can help guide you through this process to make sure you don’t have any AP downtime due to this cert expiry.

Arraya Insights
Back to Top
Arraya Solutions logo

We combine technological expertise and personal service to educate and empower our customers to solve their individual IT challenges.

518 Township Line Road
Suite 250, Blue Bell, PA 19422

p: (866) 229-6234     f: (610) 684-8655
e: info@arrayasolutions.com

  • Careers
  • Privacy Policy
  • Contact Us

© 2025 Arraya Solutions. All rights reserved.

Facebook Twitter YouTube LinkedIn
Manage Cookie Consent
We use cookies to enhance your experience. By selecting “Accept,” you agree to our cookie policy.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}