SG300-28 import self-signed SHA2 certificate to the SSL Protocol (including the format? How do I?)

1. What is the format a certificate and private key combination should play during import to use SSL?

2. how actually import you - via CLI or web interface.

I'm trying to import an SSL certificate that is self-signed in the SG300-28 to secure the connection to the web interface of the switch. The certificate is signed by my own 'certification authority' / custom root certificate.

I tried to do it via the graphical interface of web management (security > SSL server > server SSL authentication) and the command-line via SSH. I will detail my exact process below. I had no problem importing a certificate created in the same way to the Cisco RV320 router, although the web interface is different.

How to create a certificate that is accepted by the switch?

(Image Active) firmware version: 1.4.0.88

My approach:

  1. OpenSSL 1.0.1f January 6, 2014; on an ubuntu 14.04 machine
  2. Create my own, certificate of self-signed root:

 openssl genrsa -out rootCA.key 2048 openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem

3. create a private key and the real certificate and sign them using the rootCA.pem:

 openssl genrsa -out switch.key 2048 openssl req -new -key switch.key -out switch.csr openssl x509 -req -in switch.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out switch.crt -days 3500

for later use, export the public key of the switch.key - file using

 openssl rsa -in switch.key -pubout > switch.pubkey

4. open the web interface of the switch and check for the SSL settings (Security > SSL server > server SSL authentication).

4.1 click "import certificate".

4.2 paste the contents of the switch.crt file in the ' certificate:'-textbox

4.3 to import pair of RSA keys

4.4. Paste the contents of the switch.pubkey file in the public key field

4.5 by selecting the 'Clear text' radiobutton control and paste the contents of the inside switch.pubkey

4.6 click 'apply '.

4.7 receive an error message 'invalid key head '.

The private key looks like this (oviously, I created a new one for this example):

 -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA3gOvNzKqULXnT7zL9fl4KJAZMo5eYHfwPSN0wl385na37oHz [23 more lines truncated] aB7Pooa60anjIVJmlSIp4WJ8U+52BMKJZ5rqHnJ1sBBo1zpAtcdspg== -----END RSA PRIVATE KEY-----

I also receive a header invalid key error when you try to import the private via CLI SSH key using:

 switch(config)#crypto key import rsa

I also converted the certificate and the private in PKCS12 and then back to the PEM key that gives me the following private key "head" which is not always accepted when pasting in the CLI:

 Bag Attributes localKeyID: FE 24 88 34 66 BE E9 DB CE 4E 91 23 2C 0E 03 B1 A7 58 32 24 Key Attributes:  -----BEGIN PRIVATE KEY----- MIIEvgIBA[...] -----END PRIVATE KEY-----

What key header miss / what am doing wrong in general?

It seems that ' import key cryptographic rsa "command is not suitable for import SSL key related private, but rather for the importation of SSH keys. Code "key header is missing" means that switch expects anything other than "-----BEGIN RSA PRIVATE KEY-----", for example the headers that you can see after the execution of ' view keys cryptographic rsa "(- START PRIVATE KEY ENCRYPTED SSH2-).

To get your SSL certificate installed, you have two options:

The CLI option:

  • create a RSA private key with command

 switch(config)#crypto certificate 2 generate key-generate 1024

  • create the certificate request with

 switch#crypto certificate 2 request

(don't forget to provide all information for this order, including '' cn '' and so on). Note that this command must be executed inside the privileged mode and not in mode configuration as the previous command.

  • After you run this command, you'll get sign certificate request (CSR). Copy and paste it into the new file on the server that hosts your certification authority.
  • now sign this CSR file with the command that you have already used:

 openssl x509 -req -in switch.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out switch.crt -days 3500

  • After signing to just open the file "switch.crt" and copy all content between BEGIN and END section including.
  • and import this certificate with order

 switch(config)#crypto certificate 2 import

  • and finally for your certificate to be active, do it with the following command:

 switch(config)#ip https certificate 2

WebGUI option:

Here, the procedure is similar to the CLI:

  • You must click on "Generate certificate request" in the "Security-> SSL server-> server SSL authentication" section, fill in all necessary data and click on "Generate certificate request."
  • you will get CSR data you need to paste into the server with the certificate of the CA.
  • sign the certificate with the command openssl similar as mentioned previously
  • and import a certificate with maintaining "import RSA Key-Pair" unchecked.

Personally I've never managed to get imported both key and certificate from the outside.

Tags: Cisco Support

Similar Questions

  • SG300-28 - Firmware 1.2.7.76 with the MAC: how to use the VLAN? (Bugs00131469)

    Hallo,

    can you please explain to me this problem more in detail, please:

    ##################################################################

    Problem: When a port Transceiver allowed tent of to re-authenticate and RADIUS

    attributes no longer target attributes VLAN, re-authentication breaks down and the

    port must become unauthorized. This is not the case, and the port is not.

    (Bugs00131469)

    Solution: Do not delete attributes of VLANS on a RADIUS server or unplug

    network cable and plug it in again to force the failure.

    ##################################################################

    I use an assignment VLAN dynamic for my known hosts of the network (authentication MAC) based only. But there are people from other companies who use their own computer and this computer does not know on my RADIUS server. These people should use the VLAN comments. In general they disconnect the LAN cable from a host that is known on my SHELF and put the LAN cable into their laptop (which is not known by the RADIUS server).

    Does this mean that this port will remain in the VLAN old or the switch will change the port the the guest VLAN?

    And what happens if I reconnect the computer to know about this port?

    This feature is very important to me, but I need the functionality of the new firmware RADIUS accounting. So please give me some advice!

    Thank you very much!

    Alexander Wilke

    Hello, Alexander.

    When connecting to an unknown host to the switch, it should go to a VLAN authenticated or if you use the VLAN comments, it must be created statically a VLAN on the switch. With the comments-VLAN-Enable, the switch automatically assigns a port as a member not marked. When the port is allowed, the switch will have to move the port to VLAN comments when the first applicant authorizes.

    Basically, this bug listed above says not to make changes to your information RADIUS server of VLAN and if you do, unplug the network and reconnect it.

    -Tom

  • Certificate self-signed for remote VPN CLIENT access

    Hi people,

    I am trying to achieve two-factor authentication, first with RADIUS & 2nd with self-signed certificate. If I generated of self-signed certificate & trying to import this certificate but error 39 that occur. Only obstacle that authenticate with certificate. I saw some documents for separate setting certifcate servers (CA) & then to import in the clients but I m curious about a certificate automatically generated can be used to authenticate the remote access client.

    ASA additional server failover mode is Local CA is not supported. Is there a way to support local CA.

    Thank you

    Are you talking about using self-signed client certificates? I guess that it will not work. At least it is not scalable. You must use an internal CA for this task. As the local certification authority cannot be used with failover, you can take a Windows Server 2 k 3 or 2 k 8. Another option is to use a router IOS as CA-server. But what take something else as a second factor? I'm a big fan of the use of smartphones with the www.duosecurity.com service.

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • ASA SHA2 support with self-signed certificates

    Is it possible to use the signature SHA2 algorithm generating a certificate self-signed on an ASA? I can't find any documentation on orders that have control of things like the signature algorithm when you use self-signed certificates. I have seen documentation SHA2 is supported from 8.4.2 for the signature algorithm, but it always refers to the import of a certificate from an external certification authority.

    Hi William,.

    You can only generate self-signed certificate on the SAA SHA1. The solution is to import a certificate from a 3rd party with signature SHA2 algorithm.

    Here is the value for the same application:-

    ASA support for SHA - 2 for crypto IPsec and operations of the public key infrastructure
    CSCuj67576
    https://Tools.Cisco.com/bugsearch/bug/CSCuj67576/?reffering_site=dumpcr

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Stopped working self-signed certificates

    All a sudden (and not after a Firefox update) 41.0 Firefox stopped accepting SSL certificates self-signed on various websites that it had been accepted for months. I generated certificates myself.

    The link / button to add exceptions and import the certificate has disappeared from the "Untrusted connection" error page

    Things I've tried so far:

    • Import certificates via preferences > advanced > Certificates > view certificates > servers. The imported certificates, but Firefox seems to ignore.
    • Exit Firefox, remove cert8.db in my profile, then restart Firefox
    • Restart Firefox in safe mode
    • Import the certificate in the keychain of the OS (what makes Web sites work on Chrome and Safari)

    Generated certificates are signed "PKCS #1 SHA-256 with RSA encryption", they are not expired and have been generated with

       openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout server.key -out server.crt

    In addition to the issue of trust, https://www.ssllabs.com/ssltest/ reported no problems with these certificates, they are fine ("' If trust issues are ignored: has '")

    The only way I can access these sites Web is via a private window: If the certificate has been imported previously (via preferences) private session window accesses Web sites without problem. If the certificate has not been imported, again, I have the option to add a temporary exception and after that is done, it works fine.

    This problem does not appear on another computer, even if the Firefox profile is synchronized between the two.
    The problem does not appear on Firefox 41.0 a colleague (same OS and hardware)
    Certificates signed by a real certification authority are accepted very well.

    UPDATE:

    I have marked this as resolved, but apparently the problem returned once a week, completely randomly.

    The best solution I've found so far is to leave Firefox, delete the following files from my profile, and then restart Firefox:

    • SiteSecurityServiceState.txt
    • cert_override.txt
    • cert8.DB

    Finally, I fixed that by doing a Firefox "Refresh" (under topic: support) and re - sync my profile.

  • RemoteAccess VPN to ASA 2 7.2 using self-signed certificate

    Dear friends,

    I need help or guide on how to install as State in the title.

    It is this configuration can be made? or the self-signed certificate cannot be used as VPN certificate.

    Unfortunately, we cannot deploy a dedicated CA server.

    But we cannot use as pre-shared key authentication because the configuration would force our ASA to disable the 'disable isakmp am-' which is unacceptable according to our independent auditor.

    So the best solution I can think of is to use the self-signed certificate that is suitable.

    Please advice me if there is somehow I can use 'isakmp am - disable' as well as the pre-shared key.

    Can I generate certificate using my ASA box? or I really need to use the dedicated CA server to make it work.

    This is a self-signed certificate of ASA, but I can't import into my Cisco VPN Client 5.0 it keep saying "error 39: impossible to import the certificate.

    MIIGpwIBAzCCBmEGCSqGSIb3DQEHAaCCBlIEggZOMIIGSjCCBkYGCSqGSIb3DQEH

    .. .removed

    SdCTfNIaE11Fm + rOMD0wITAJBgUrDgMCGgUABBS6s9ZMs6MoqQ0tdZuKRZuebbE3

    owQU/z10f/Ew3XMfWBYSV5Eo3evqqgwCAgQA

    I will be very very grateful for any help provided.

    Best regards

    SAB

    SAB,

    You must have a separate server from CA to issue certificates for the client and register the ASA on the CA server.

    You cannot use the self-signed certificate on the SAA for the VPN client.

    See you soon,.

    Gilbert

  • Cannot install the self-signed certificate

    I have an app remoteapp on machine Server 2012 for multiple users. We use a certificate self-signed HTTPS authentication. A laptop user has this strange problem where, no matter what method is used, the certificate never gets installed. It is said "the import was successful", but when you open Certmgr.msc, the certificate is not in the "certificate authorities roots of trust." I need to get this connected user. I never saw the Certmgr.msc to behave this way. Any help would be appreciated!

    Hello

    You can view this issue in Windows Server 2012 TechNet Forums General: http://social.technet.microsoft.com/Forums/en-us/winserver8gen/threads

    Thank you.

  • ASA5505 IPSEC only with self-signed certificates

    Hi all

    I have little Cisco training and was assigned to a pilot project. We have cleaning of the ASA from another Department, but I do not have access to support. It is running ASA v9.1 and ASDM 7.1. If all goes well I'll be sent on training and we can buy a nice 5520.

    So I scoured the internet for a guide that is easy to do as my title says, but I'm having major trouble. I find a lot of outwardly signed with self-signed SSL VPN or VPN IPSEC with CERT support but I can't only get ASA self-signed IPSEC IKEv2 with certificate authentication. Also, to make it even worse, I have to provide the user with the software, the profile and the certificate in hand. No access to the web or download portal.

    If you know where I can get good installation guide for this type of use please by all means save me here. If this isn't possible, I'm cool with that, let me know.

    Thank you fo any help you can provide

    Jay

    If the ASA uses a certificate issued by a certification authority that is in-store customer trust root CA, then the certificate of identity ASA didn't need to be imported by the customer.

    Which is why it's usually recommend to follow the path of using experienced public CA because they are alreay included in most modern browsers and so the client has no need to know how to import certificates etc.

    If you are using a local certification authority that is not in the store trusted CA of the customer to deliver your ASA certificate or identity certificates on the SAA signing root then you must take additional measures at the level of the customer.

    In the first case, you could import the CA certificate in the store root CA of the client trusted root. After that, all the certificates it has issued (the IE the ASA certificate of identity) would automatically be approved by the customer.

    On the second case, certificate of identity of the SAA is would have installed on the client because it (the ASA) basically as it's own root certification authority. Usually, I install them in the CA store root confidence of my client, but I guess that's technically not necessary, as long as the customer knows to trust this certificate.

  • Faced with Windows 2008 R2 PKI, self-signed certificates & view iPad customer Secure Authentication to view connection server: UGH!

    Background: I was instructed to create a VMware View isolated laboratory test so that HIGHER-UPS can see how they could access the VM dedicated as well as how their developers could put related clones on-the-fly. The project was successful! Yay!

    Addendum: A boss wants to see how VMware View works when accessing his computer virtual dedicated via his iPad on the internet... And who needs a secure SSL connection.

    The problem is: the domain name I chose casually because the lab did not belong to me... So I can't have a real certificate from a trusted commercial certification authority.

    So I'll try to roll my own public Windows 2008 R2 PKI and... All that forcing the iPad to use DC/DNS server in the lab... Get only the single get iPad trust view connection server by importing a sort of certificate.

    Can I export/import a certificate of the CA of DC to the iPad via an attachment... And it happens with confidence. But how to create a login to view the server certificate and electronic-mail/import in the iPad so it happens with confidence? Whenever I try to export the certificate of the certificate of the view connection server store, send it to the iPad and install... The connection server certificate appears as 'not reliable' and the VMware View client will not connect.

    (Of course, I could get sloppy and set the iPad Client to accept untrusted connections... "But I want to solve the problem of approved connection).

    I could be missing something royally on the self-signed certificates and certificate chains.

    (It is a first for me dealing with Active Directory Windows Certificate Services. In the past, I always just installed expensive commercial SSL CA certificates in the certificates Windows Server stores before.)

    Any help or direction, you can provide would be appreciated. I'm rather confused.

    See you soon!

    Keegan

    Hello

    Maybe was your initial problem that the provided certificate must be a descendant of a trusted root, such as Verisign cert or

    the root certificate must be installed and all the intermediate certificates in the trust chain down to the one you use?

    Concerning

    AndyR

  • RTMPS with self-signed certificate

    Hello

    I have a simple Webcam movie, publish live video
    FMS 2.0.2 r51 dev under Debian 3.1r2 edition
    and then he plays in another video-window.

    It works very well and rtmp, rtmpt, but with rtmps I get
    the error "NetConnection.Connect.Failed".

    I have prepared a simple and all assembled test scenario
    info here: http://pref.dyndns.org:8080/live/live.html

    The certificate has been created by me in this way:
    openssl req - x 509 - days 365 - newkey rsa:1024.
    -self-signed - certificate.pem - keyout pub-sec-.pem

    And implement defaultRoot_/Adaptor.xml:
    "< name HostPort ="edge1"ctl_channel =": 19350 ">: 1935, 80,-443 < / HostPort >"
    ... jumped...
    /Home/afarber/certs/self-signed-certificate.PEM < SSLCertificateFile > < / SSLCertificateFile >
    < SSLCertificateKeyFile type = "EMP" > /home/afarber/certs/pub-sec-key.pem < / SSLCertificateKeyFile >
    secret of < SSLPassPhrase > < / SSLPassPhrase >
    < SSLCipherSuite > ALL:! ADH:! BASS:! EXP:! MD5:@strength < / SSLCipherSuite >

    I'm sure that the server works as I see in the var:
    localhost adapter [2675]: listener started (_defaultRoot__edge1): 443 (secure)

    I also tried to put
    Import mx.remoting.Service;
    Import mx.services.Log;
    Import mx.remoting.debug.NetDebug;
    NetDebug.initialize ();

    at the top of my AS code, but the NetConnection debugger
    window displays no information at all, for some reason any:
    http://pref.dyndns.org:8080/live/NetDebug-empty.gif

    Concerning
    Alex

    I found the solution-

    There is a bug in the current Flash Player:
    If a pop-up window of dialogue for a reason any
    (as unknown CA or not is not host name)
    then the cert will be rejected even if you
    Click 'yes '.

    If you are generating a cert self-signed like this:

    OpenSSL genrsa-des3-out ca.key 4096
    openssl req - new - x 509 - days 365 - key ca.key - out ca.crt

    OpenSSL genrsa-des3-out server.key 4096
    openssl req - new - key server.key - out server.csr

    OpenSSL x 509 - req-days 365 - in server.csr - CA ca.crt - CAkey ca.key - set_serial 01 - out server.crt

    (increase the 01 above for each new cert).

    and then import the ca.crt from above in your
    browsers (i.e. double-click on Windows for IE
    Open from Mozilla Firefox and click OK).

    Concerning
    Alex

  • TLS fails on linux self-signed certificates

    on firefox 38.1.0 under centOS 6.6 I have some problem with TLS.

    When it first happened I re fact cert using keys of 2048 bytes. It seemed if address the issue when you navigate to similar addresses to https://localhost/somesite, however, I have try https://localhost:10000 with the fact that it still fails:

    An error occurred during a connection to localhost.localdomain:10000. The certificate server included a public key which was too low. (Error code: ssl_error_weak_server_cert_key)

       The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem.

    The signing certificate is algorithim-> PKCS #1 SHA-1 with RSA encryption

    The algorithim public key is-> PKCS #1 RSA encryption

    The key has been creating 07/06/15 for a period of 10 years is a Version 1 cert issued by myself with the info
    E = [email protected]
    CN = localhost
    UO = hq
    O = permite
    L = Stone Mountain
    ST = ga
    C = us

    It was a problem of webmin.

    To fix this /etc/webmin/miniserv.pem edition replace the cert and private key sections.

    Use a new generated key and self-signed certificate. If you follow the instructions of centOS, the location of the files are /etc/pki/tls/private/ca.key and /etc/pki/tls/certs/ca.crt

  • Use the certificate self-signed on TS 2008R2

    Hello reader,.

    We use Firefox on a Terminal server with about 20 servers server farm environment.
    We use a lot of intranet sites for which we have the certificate self-signed by our domain controller.

    In Firefox users get prompt security sec_error_unknown_issuer. As much as I red that Firefox does not check for local free self-signed certificates.
    Is there a way we could set up for all users, they do not see the above error-> specific <-websites (intranet)?

    We do not want the users to add the Security (certificate) as exception 20 times for EACH intranet website on 20 servers dispute.
    It is something that I can edit in mozilla.cfg on each server or is there another solution?

    Thanks in advance,
    Kind regards
    Martijn

    I solved the problem with manual below:

    http://community.Spiceworks.com/how_to/15158-Firefox-trust-a-local-certificate-authority-for-all-users-and-computers

  • I have a Proxy Server that uses a self-signed certificate, and I can't accept this certificate from Firefox

    I have Firefox installed 37.0.1 on OpenSuse 13.2. I have a proxy server that uses a self-signed certificate, and I tried to add my certificate to the list of authorities and to check all the option displayed to be wz trust no chance.

    I tried to restart firefox, but it did not help.

    I did the same steps in chrome and it works fine.

    appreciate any help.

    After removing my .mozilla in my home directory. Add the certificate to the list of authorities in fact work.

  • Unable to connect to SMTP using TLS with a certificate self-signed on OSX 10.10.1 (T31.3 &amp; 24.6)

    I can't connect to my server SMTP with TLS on port (send 465 or 587 / 995 receive) using Thunderbird 31.3 or my OS X 10.10.1 24.6 (Didier) MacBook Pro.

    However, I am able to send and receive mail from the same account on my Windows 7 machine using Outlook 2007, using the same settings I configured in Thunderbird. I added the certificate etc.

    http://img.Photobucket.com/albums/v631/Napoleon_BlownApart/ScreenShot2014-12-16at121323pm.PNG (Taken when using 24.6)

    I am the admin of the server and the password and other settings on the side Server are correct! (I'll take a look at the evolution at the same time. I am already back to an earlier version of Firefox because of sloppy coding and broken features).

    Any ideas?

    If the server name is a secret, how you expect to receive mail. Please, we have pretty bad without guessing. Seriously what you are done using a self signed certificate, they are free by https://www.startssl.com/

    My guess is it of OSX who dislikes the self-signed certificate, how Thunderbird to deal with Windows. As you have a copy install Thunderbird and see if it is a question of OSX.

  • HPDM: HPDM replace self signed SSL certificates for server HDPM and master repository

    I am trying to replace the automatically generated self-signed certificates (issued to DM) issued by DM server HDPM and master repository.  I'm NOT arbitration FTPS, HTTPS embedded HPDM or CERT Thin Client Agent server.

    I already have CERT for the installation of our own internal domain CA for FTPS in IIS and the built-in Apache HTTPS server.  These work properly and pass tests of repository for both protocols.  I also have questions for Thin Clients of our internal CA very well.

    I am interested in the HPDM real server cert and cert master repository. These are generated automatically when the two services start.  They use a very weak MD5 hash and key RSA 1024.  I can't find any documentation around that, with the exception of troubleshooting, in which you can remove these certificates restart services and they will be regenerated.

    Here are the paths certs\key
    HPDM % install Path%\MasterRepositoryController\Controller.crt (Cert repository)

    HPDM % install Path%\MasterRepositoryController\Controller.key (repository key)

    HPDM % install Path%\MasterRepositoryController\Client.crt (HPDM Server Cert)

    HPDM % install Path%\Server\Bin\hpdmskey.keystore (Both HPDM server and repository Certs and keys) (not sure what format it is in.  It is not PEM and P12 ok I can say)

    There are also some HPDM % install Path%\Server\bin\hpdmcert.key.  Don't know what it is.  It's the key to the server HPDM but deleting it does nothing and it is never re auto generated in one of my tests.

    I am able to replace the Controller.crt and keys with my own files CA internal those emitted very well.  The service started and no errors occur.  However if I replace the Client.cert (HPDM Server Cert) with my own service will start but there are Socket SSL errors in repository logs and the HPDM server could not connect to the master repository. I have no idea where the key file is supposed to be for HPDM Server Cert.

    Can anyone help with this?  I can't find the configuration files for the service to generate their own certificates.  If I did I would try at least to change the config to do not use MD5.

    Hello

    These certiricates between HPDM server and MRC are not designed for customizable. Please submite one scenario if you have concerns of security on it.

    Just for info:

    hpdmcert. Key is for communication between the server HPDM and gateway HPDM

    hpdmskey.keystore is for communication between the server HPDM and MRC

    server_keystore is for the commhucation between HPDM server and the Console HPDM

Maybe you are looking for