Solved: Re: RV340 router PKCS#12 certificates

gergelymolnarpro · ‎08-03-2021

I created a certificate with OpenSSL and uploaded that to the router as PKCS#12 then the name of the certification is reserved (I can't upload again with the same name), but not seen in the list (reboot not help).

I wanted to use 3072 BIT RSA key, because the router only handle 2048 BIT by cert request generator.

(Unfortunately the EC P-384 Certificates are not supported, are it?)

I use the latest firmware: 1.0.03.21

# with passphrase
#openssl ecparam -genkey -name prime256v1 -param_enc explicit -out ${FILE_NAME}-key.pem
# error with EC keys
openssl genrsa -out ${FILE_NAME}-key.pem 3072

# export public key
openssl rsa -in ${FILE_NAME}-key.pem -pubout > ${FILE_NAME}-key.pub

# request
openssl req -new -key ${FILE_NAME}-key.pem -out ${FILE_NAME}-req.csr -sha384 -subj "${SUBJECT}"

# sign cert with CA
openssl x509 -req \
-CA ${CA_FILE_NAME}-cert.pem -CAkey ${CA_FILE_NAME}-key.pem \
-sha384 -days ${DAYS} \
-set_serial ${SERIAL} \
-in ${FILE_NAME}-req.csr -out ${FILE_NAME}-cert.pem \
-extfile <(printf "basicConstraints=critical,CA:FALSE
keyUsage=critical,keyAgreement,digitalSignature
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=IP:${IP},DNS:mainrouter.local")

# Cert. pem to der
openssl x509 -outform der -in ${FILE_NAME}-cert.pem -out ${FILE_NAME}-cert.crt

# create chain
#cat ${FILE_NAME}-cert.pem intca-cert.pem ca-cert.pem > ${FILE_NAME}-cert-chain.pem
# intca is not supported
cat ${FILE_NAME}-cert.pem ca-cert.pem > ${FILE_NAME}-cert-chain.pem

# create PKCS#12
openssl pkcs12 -export -inkey ${FILE_NAME}-key.pem -in ${FILE_NAME}-cert.pem -out ${FILE_NAME}-key.p12 -password pass:password

nagrajk1969 · ‎08-04-2021

Hi

1. Use only pem files and NOT der-encoded file.

2. dont create the cert-chain bundling of the device-cert.pem and ca-cert.pem

3. create the pkcs12 instead using the independent device-cert.pem, device-priv-key.pem and ca-cert.pem certs using the sample command below (which iam sure you already know)

openssl pkcs12 -export -descert -password pass:test1234 -nodes -inkey device-priv-Key.pem -in device-cert.pem -certfile ca-cert.pem -out rv340-devicecert1.p12

>>>>Unfortunately the EC P-384 Certificates are not supported, are it?

Yes elliptic-curve certs are not supported....yet i guess

Some Notes:

1. Lastly, you can import ONLY Bundled-CA-certficates, you know, such as containing "RootCAcert.pem+Intermediate-CA1.pem+Intermediate-CA2.pem...". But this bundling of the CA-certs has to be in a certain order

For example1: if there is a Intermediate-CA-cert and the top-level main root-CA cert that signed the Intermediate-CA

- then the ca-bundle has to be created in the below order in the pem file (say ca-bundle1.pem)

<Intermediate-CA-first>

<Main-RootCA-that-signed-above-IntermediateCA-below next here>

=================================

For example2: if there is a Intermediate-CA1-cert and it is signed by top-level Intermediate-CA2-cert.pem and this is signed by the next top-level main root-CA-cert

- then the ca-bundle has to be created in the below order in the pem file (say ca-bundle2.pem)

<Intermediate-CA1-first>

<Intermediate-CA2-second>

<Main-RootCA-that-signed-above-IntermediateCA2-below next here>

=============================

2. Please note that the Bundled-CA-certs can be used ONLY with the SSL-VPN (the Cisco-AnyConnect sslvpn server on RV340). Its not supported for the IPsec-VPN tunnels (s2s or c2s), becos the underlying IPsec-VPN application running on RV34X is the open source Strongswan which does not support bundled-CA-certs for IKE-auth at all....Strongswan has an issue parsing the ca-bundle

This is not to say that you cannot have ca-chains used for the IPsec vpn..its just that - the solution is to import the Intermediate-CA and the RootCA as Ca-pem files separately and then Strongswan will automatically now check the entire CA-chain for verifying the device-certs used in the IKE-auth process...so its just that you need to break up the ca-bundle if you want to use it for IPsec-VPN

- So what i do is i import the CA-bundle file and also the individual Intermediate-CAs and the top-level root-CAs and refer them as required in sslvpn and ipsec-vpn configs respectively...

View solution in original post

gergelymolnarpro · ‎08-05-2021

I tried it, but still not work.

openssl pkcs12 -export -descert -password pass:password -nodes -inkey ${FILE_NAME}-key.pem -in ${FILE_NAME}-cert.pem -certfile ca-cert.pem -out ${FILE_NAME}-key.p12

Still successful uploaded but not in the list at 'Certificate Table' and not listed in VPN / SSL VPN.

Updates:

I tried it with RSA 2048 and that is work!

BUG:

The RV340 router not support RSA 3072, but possible to upload that, then that will reserve hidden storage space.

View solution in original post

nagrajk1969 · ‎08-09-2021

Hi

Your observation with rsa-3072bit certificates import is correct. There is a BUG when we import 3072-bit certificates into RV340/34X only

Its working correctly when we import the same on RV160/260...there is no issues on these routers

>>>3072 bit private key is the reason?

No. Its more of a GUI display issue, especially and only with 3072-bit certs....whereas there is no such display issue with 4096-bit imported certs

If there was an issue with private-key, the import itself would have failed....which is not the case here. The import is successfull BUT the display is a problem in GUI of RV34X routers...(its not an issue with same certs imported on RV160/260)

>>>Do you ever use 4096 bit RSA priv key in that router?

Yes. I have. I again created another 4096-bit certs and importted the p12 file onto RV34X...its successfull and i can use them successfully in VPN and AnyConnect-SSLVPN, etc

View solution in original post

nagrajk1969 · ‎08-04-2021

Hi

1. Use only pem files and NOT der-encoded file.

2. dont create the cert-chain bundling of the device-cert.pem and ca-cert.pem

3. create the pkcs12 instead using the independent device-cert.pem, device-priv-key.pem and ca-cert.pem certs using the sample command below (which iam sure you already know)

openssl pkcs12 -export -descert -password pass:test1234 -nodes -inkey device-priv-Key.pem -in device-cert.pem -certfile ca-cert.pem -out rv340-devicecert1.p12

>>>>Unfortunately the EC P-384 Certificates are not supported, are it?

Yes elliptic-curve certs are not supported....yet i guess

Some Notes:

1. Lastly, you can import ONLY Bundled-CA-certficates, you know, such as containing "RootCAcert.pem+Intermediate-CA1.pem+Intermediate-CA2.pem...". But this bundling of the CA-certs has to be in a certain order

For example1: if there is a Intermediate-CA-cert and the top-level main root-CA cert that signed the Intermediate-CA

- then the ca-bundle has to be created in the below order in the pem file (say ca-bundle1.pem)

<Intermediate-CA-first>

<Main-RootCA-that-signed-above-IntermediateCA-below next here>

=================================

For example2: if there is a Intermediate-CA1-cert and it is signed by top-level Intermediate-CA2-cert.pem and this is signed by the next top-level main root-CA-cert

- then the ca-bundle has to be created in the below order in the pem file (say ca-bundle2.pem)

<Intermediate-CA1-first>

<Intermediate-CA2-second>

<Main-RootCA-that-signed-above-IntermediateCA2-below next here>

=============================

2. Please note that the Bundled-CA-certs can be used ONLY with the SSL-VPN (the Cisco-AnyConnect sslvpn server on RV340). Its not supported for the IPsec-VPN tunnels (s2s or c2s), becos the underlying IPsec-VPN application running on RV34X is the open source Strongswan which does not support bundled-CA-certs for IKE-auth at all....Strongswan has an issue parsing the ca-bundle

This is not to say that you cannot have ca-chains used for the IPsec vpn..its just that - the solution is to import the Intermediate-CA and the RootCA as Ca-pem files separately and then Strongswan will automatically now check the entire CA-chain for verifying the device-certs used in the IKE-auth process...so its just that you need to break up the ca-bundle if you want to use it for IPsec-VPN

- So what i do is i import the CA-bundle file and also the individual Intermediate-CAs and the top-level root-CAs and refer them as required in sslvpn and ipsec-vpn configs respectively...

gergelymolnarpro · ‎08-04-2021

Thank you, I will try it!

Am I somehow able to remove the hidden wrong pkcs#12 files? (I use the web GUI yet)

gergelymolnarpro · ‎08-05-2021

I tried it, but still not work.

openssl pkcs12 -export -descert -password pass:password -nodes -inkey ${FILE_NAME}-key.pem -in ${FILE_NAME}-cert.pem -certfile ca-cert.pem -out ${FILE_NAME}-key.p12

Still successful uploaded but not in the list at 'Certificate Table' and not listed in VPN / SSL VPN.

Updates:

I tried it with RSA 2048 and that is work!

BUG:

The RV340 router not support RSA 3072, but possible to upload that, then that will reserve hidden storage space.

nagrajk1969 · ‎08-05-2021

Ok, Thank you. I think there must be some other reason for the 3072-bit certificate import (using pkcs12) not working. Becos i have successfully imported multiple times 4096-bit certificates (including importing 4096-bit CA certificates, and 4096-bit bundled CA-chains) on a RV340/345 router. It works for sure

So i think i will also run a check with 3072-bit certs import and post you the results ASAP

regards

gergelymolnarpro · ‎08-05-2021

Thank you, may, 3072 bit private key is the reason? Do you ever use 4096 bit RSA priv key in that router?

(My CA is an P-384 elliptic curve cert. but is work well when I sign the 2048 bit RSA.)

nagrajk1969 · ‎08-09-2021

Hi

Your observation with rsa-3072bit certificates import is correct. There is a BUG when we import 3072-bit certificates into RV340/34X only

Its working correctly when we import the same on RV160/260...there is no issues on these routers

>>>3072 bit private key is the reason?

No. Its more of a GUI display issue, especially and only with 3072-bit certs....whereas there is no such display issue with 4096-bit imported certs

If there was an issue with private-key, the import itself would have failed....which is not the case here. The import is successfull BUT the display is a problem in GUI of RV34X routers...(its not an issue with same certs imported on RV160/260)

>>>Do you ever use 4096 bit RSA priv key in that router?

Yes. I have. I again created another 4096-bit certs and importted the p12 file onto RV34X...its successfull and i can use them successfully in VPN and AnyConnect-SSLVPN, etc

gergelymolnarpro · ‎08-10-2021

Thank you!

I opened a ticket to solve the bug.