Wanted to use an old 1242 AP in my garage, where 802.11n isn’t a concern.  Unfortunately even after doing a factory reset, I could not get it to join the controller.  Console logs showed this repeating every minute:

*Feb 2 18:13:54.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.0.11 peer_port: 5246
*Feb 2 18:13:54.001: %CAPWAP-5-CHANGED: CAPWAP changed state to 
*Feb 2 18:13:55.303: %DTLS-5-ALERT: Received FATAL : Certificate unknown alert from 10.0.0.11
*Feb 2 18:13:55.303: %CAPWAP-3-ERRORLOG: Bad certificate alert received from peer.
*Feb 2 18:13:55.304: %DTLS-5-PEER_DISCONNECT: Peer 10.0.0.11 has closed connection.
*Feb 2 18:13:55.304: %DTLS-5-SEND_ALERT: Send FATAL : Close not

Googling the error messages pointed to the AP trying to join with an expired certificate.  Sure enough, this was definitely the problem…by about 4 years.

AP0019.e832.0320#show crypto pki certificates 
CA Certificate
 Status: Available
 Certificate Serial Number: 00
 Certificate Usage: General Purpose
 Issuer: 
 ea=support@airespace.com
 cn=ca
 ou=none
 o=airespace Inc
 l=San Jose
 st=California
 c=US
 Subject: 
 ea=support@airespace.com
 cn=ca
 ou=none
 o=airespace Inc
 l=San Jose
 st=California
 c=US
 Validity Date: 
 start date: 23:38:55 UTC Feb 12 2003
 end date: 23:38:55 UTC Nov 11 2012

The quick and dirty solution was to set the WLC (2106 w/ 7.0.252.0) to ignore this:

(Cisco Controller) >config ap lifetime-check mic enable
(Cisco Controller) >config ap lifetime-check ssc enable