Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2758
Views
0
Helpful
12
Replies

SG350XG SSL Certificate SAN

JamesEdmondsAspall
Level 1
Level 1

‎06-30-2022 08:52 AM

Hello,

 

I have a couple of old SG350XG switches, and I am trying to generate a CSR and create a new custom SSL certificate.

After applying the generated certs, Chrom/Edge etc still does not trust the cert because there is no SAN. The CSR gives me no option to enter a SAN.


Is there any other way for me to generate a cert for these switches that conforms to modern SSL cert standards?

 

Thanks

James

Labels:
0 Helpful
12 Replies 12

Jitendra Kumar
Spotlight
Spotlight

‎07-04-2022 11:05 PM

access on Firefox and try this way...

 

https://youtu.be/RkpLeqHsrog

 

 

Thanks,
Jitendra
0 Helpful

JamesEdmondsAspall
Level 1
Level 1
In response to Jitendra Kumar

‎07-05-2022 07:51 AM

Hi,

 

Thanks, but I'm not sure this answers my query?

 

As there is no box to enter a SAN on the CSR, I cannot add a SAN. This means even after successfully requesting and importing the cert, it still isn't trusted by my browser.

Perhaps what you are saying, is that Firefox does not generate errors on certs that do not have SANs, and that my workaround to not being able to specify one, is to use Firefox as my browser?

 

Cheers

James

0 Helpful

Jitendra Kumar
Spotlight
Spotlight
In response to JamesEdmondsAspall

‎07-06-2022 02:58 AM - edited ‎07-06-2022 03:05 AM

 

you have to perform this by CLI

 

Verify your certificate and private key
Generate the public key from the private key
Import certificate and keys to the switch

use the below command to import a custom certificate

#crypto certificate 1 import ( past you input certificate and certificate )

 

switch can have up to 2 certificate

 

GUI

 

Security > SSL Server > SSL Server Authentication Setting --can Import/create certificate

Thanks,
Jitendra
0 Helpful

JamesEdmondsAspall
Level 1
Level 1
In response to Jitendra Kumar

‎07-06-2022 08:45 AM

Hi,

 

Even via the CLI, the crypto commands do not allow me to specify a SAN:

Screenshot 2022-07-06 163704.png
 
The developer security tab says I don't have a SAN (although interestingly it doesn't think there is a valid cert at all?):
Screenshot 2022-07-06 164152.png
0 Helpful

Jitendra Kumar
Spotlight
Spotlight
In response to JamesEdmondsAspall

‎07-06-2022 09:32 PM

check the below article if its help for you.

 

https://community.spiceworks.com/how_to/163267-importing-wildcard-custom-ssl-certificate-on-cisco-sg300-switch

 

 

 

 

Thanks,
Jitendra
0 Helpful

JamesEdmondsAspall
Level 1
Level 1
In response to Jitendra Kumar

‎07-07-2022 02:16 AM

Sorry, no it doesn't.

I don't have any issues generating and importing a certificate via the GUI, the issue is the browser does not like the certificate that it generates.

 

Please refer to previous screenshot, whereby the browser says it does not trust the cert as "Subject alternate name is missing".

I specifically need to know, how can I generate a CSR for this switch that includes a Subject Alternate Name.

 

Thanks

James

0 Helpful

JamesEdmondsAspall
Level 1
Level 1
In response to JamesEdmondsAspall

‎07-12-2022 08:34 AM

Is it perhaps possible to just generate a CSR using OpenSSL with a SAN on it, then import the cert into the switch, or do I need to be worrying about private keys?

 

Cheers

James

0 Helpful

JamesEdmondsAspall
Level 1
Level 1

‎11-21-2022 03:54 AM

Hi,

 

I have managed, with some support from Cisco support team, to import some certs and keys into my Catalyst 9200 series switches.

I'm still struggling with these though.

 

I have used OpenSSL to generate a CSR and new private key, which I used to issue a new cert from our AD CA.

When going to import a cert on these switches, I can enter the certificate detail, the public key (extracted from the private key) as well as the private key.

I am told though, that the key is "missing headers".

 

I tried adding the DEK headers to my private key (that were required when importing to my 9200s), but it gave me the same error.

 

Can anyone guide me on what the correct format for each of the keys is, so I can modify what I have and have another go at importing?

 

Many thanks

James

0 Helpful

Aleksandra Dargiel
Cisco Employee
Cisco Employee

‎11-21-2022 04:06 AM

hi James,

to get it working seamlessly you need to have key and certificate in .pem format.

private_rsa_key.pem
public_rsa_key.pem
cert.pem

 

what format do you have?

Alex

0 Helpful

JamesEdmondsAspall
Level 1
Level 1
In response to Aleksandra Dargiel

‎11-21-2022 05:08 AM

I believe it is PEM, as the format within the keys and cert are:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHD.....
-----END ENCRYPTED PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIFmz...
-----END CERTIFICATE-----

I used the below openssl command to generate the key and CSR:

.\openssl.exe req -newkey rsa:2048 -subj "/C=/ST=/L=/O=/OU=/CN=" -sha256 -keyout key.key -out csr.csr -config .\openssl_san.cnf

The CSR was then submitted to our internal AD CA, and a base64 encoded (rather than DER) was downloaded.

Many thanks

James

0 Helpful

JamesEdmondsAspall
Level 1
Level 1

‎11-25-2022 01:59 AM

Any additional guidance for me on this please?

 

Many thanks

James

0 Helpful

MarcinWo
Level 1
Level 1
In response to JamesEdmondsAspall

‎12-30-2023 02:43 PM

You have to decrypt your private key with openssl.

 

Use command: openssl.exe rsa -in device_private.key -out device_private_decrypt.key

enter password used to create  csr, and result file wil have header with BEGIN RSA PRIVATE KEY as reqiored  by switch

 

Regards,

Marcin

0 Helpful
Customers Also Viewed These Support Documents