cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2851
Views
0
Helpful
7
Replies

RV340 router PKCS#12 certificates

I created a certificate with OpenSSL and uploaded that to the router as PKCS#12 then the name of the certification is reserved (I can't upload again with the same name), but not seen in the list (reboot not help).

 

I wanted to use 3072 BIT RSA key, because the router only handle 2048 BIT by cert request generator.

(Unfortunately the EC P-384 Certificates are not supported, are it?)

I use the latest firmware: 1.0.03.21

 

# with passphrase
#openssl ecparam -genkey -name prime256v1 -param_enc explicit -out ${FILE_NAME}-key.pem
# error with EC keys
openssl genrsa -out ${FILE_NAME}-key.pem 3072


# export public key
openssl rsa -in ${FILE_NAME}-key.pem -pubout > ${FILE_NAME}-key.pub

 

# request
openssl req -new -key ${FILE_NAME}-key.pem -out ${FILE_NAME}-req.csr -sha384 -subj "${SUBJECT}"

 

# sign cert with CA
openssl x509 -req \
-CA ${CA_FILE_NAME}-cert.pem -CAkey ${CA_FILE_NAME}-key.pem \
-sha384 -days ${DAYS} \
-set_serial ${SERIAL} \
-in ${FILE_NAME}-req.csr -out ${FILE_NAME}-cert.pem \
-extfile <(printf "basicConstraints=critical,CA:FALSE
keyUsage=critical,keyAgreement,digitalSignature
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=IP:${IP},DNS:mainrouter.local")

 

# Cert. pem to der
openssl x509 -outform der -in ${FILE_NAME}-cert.pem -out ${FILE_NAME}-cert.crt

 

# create chain
#cat ${FILE_NAME}-cert.pem intca-cert.pem ca-cert.pem > ${FILE_NAME}-cert-chain.pem
# intca is not supported
cat ${FILE_NAME}-cert.pem ca-cert.pem > ${FILE_NAME}-cert-chain.pem

 

# create PKCS#12
openssl pkcs12 -export -inkey ${FILE_NAME}-key.pem -in ${FILE_NAME}-cert.pem -out ${FILE_NAME}-key.p12 -password pass:password

3 Accepted Solutions

Accepted Solutions

nagrajk1969
Spotlight
Spotlight

Hi 

 

1. Use only pem files and NOT der-encoded file.

 

2. dont create the cert-chain bundling of the device-cert.pem and ca-cert.pem 

 

3. create the pkcs12 instead using the independent device-cert.pem, device-priv-key.pem and ca-cert.pem certs using the sample command below (which iam sure you already know)

 

openssl pkcs12 -export -descert -password pass:test1234 -nodes -inkey device-priv-Key.pem -in device-cert.pem -certfile ca-cert.pem -out rv340-devicecert1.p12

 

>>>>Unfortunately the EC P-384 Certificates are not supported, are it?

Yes elliptic-curve certs are not supported....yet i guess

 

Some Notes:

1. Lastly, you can import ONLY Bundled-CA-certficates, you know, such as containing "RootCAcert.pem+Intermediate-CA1.pem+Intermediate-CA2.pem...". But this bundling of the CA-certs has to be in a certain order

 

For example1: if there is a Intermediate-CA-cert and the top-level main root-CA cert that signed the Intermediate-CA

 

- then the ca-bundle has to be created in the below order in the pem file (say ca-bundle1.pem) 

 

<Intermediate-CA-first>

<Main-RootCA-that-signed-above-IntermediateCA-below next here>

 

=================================

 

For example2: if there is a Intermediate-CA1-cert and it is signed by top-level Intermediate-CA2-cert.pem and this is signed by the next top-level main root-CA-cert

- then the ca-bundle has to be created in the below order in the pem file (say ca-bundle2.pem) 

 

<Intermediate-CA1-first>

<Intermediate-CA2-second>

<Main-RootCA-that-signed-above-IntermediateCA2-below next here>

 

=============================

 

2. Please note that the Bundled-CA-certs can be used ONLY with the SSL-VPN (the Cisco-AnyConnect sslvpn server on RV340). Its not supported for the IPsec-VPN tunnels (s2s or c2s), becos the underlying IPsec-VPN application running on RV34X is the open source Strongswan which does not support bundled-CA-certs for IKE-auth at all....Strongswan has an issue parsing the ca-bundle

 

This is not to say that you cannot have ca-chains used for the IPsec vpn..its just that - the solution is to import the Intermediate-CA and the RootCA as Ca-pem files separately and then Strongswan will automatically now check the entire CA-chain for verifying the device-certs used in the IKE-auth process...so its just that you need to break up the ca-bundle if you want to use it for IPsec-VPN

- So what i do is i import the CA-bundle file and also the individual Intermediate-CAs and the top-level root-CAs and refer them as required in sslvpn and ipsec-vpn configs respectively...

 

 

 

 

 

View solution in original post

I tried it, but still not work.

 

openssl pkcs12 -export -descert -password pass:password -nodes -inkey ${FILE_NAME}-key.pem -in ${FILE_NAME}-cert.pem -certfile ca-cert.pem -out ${FILE_NAME}-key.p12 

 

Still successful uploaded but not in the list at 'Certificate Table' and not listed in VPN / SSL VPN.

 

Updates:

I tried it with RSA 2048 and that is work!

 

BUG:

The RV340 router not support RSA 3072, but possible to upload that, then that will reserve hidden storage space.

 

View solution in original post

nagrajk1969
Spotlight
Spotlight

Hi

 

Your observation with rsa-3072bit certificates import is correct. There is a BUG when we import 3072-bit certificates into RV340/34X only

 

Its working correctly when we import the same on RV160/260...there is no issues on these routers

 

>>>3072 bit private key is the reason?

No. Its more of a GUI display issue, especially and only with 3072-bit certs....whereas there is no such display issue with 4096-bit imported certs

If there was an issue with private-key, the import itself would have failed....which is not the case here. The import is successfull BUT the display is a problem in GUI of RV34X routers...(its not an issue with same certs imported on RV160/260)

 

>>>Do you ever use 4096 bit RSA priv key in that router?

Yes. I have. I again created another 4096-bit certs and importted the p12 file onto RV34X...its successfull and i can use them successfully in VPN and AnyConnect-SSLVPN, etc

 

 

 

View solution in original post

7 Replies 7

nagrajk1969
Spotlight
Spotlight

Hi 

 

1. Use only pem files and NOT der-encoded file.

 

2. dont create the cert-chain bundling of the device-cert.pem and ca-cert.pem 

 

3. create the pkcs12 instead using the independent device-cert.pem, device-priv-key.pem and ca-cert.pem certs using the sample command below (which iam sure you already know)

 

openssl pkcs12 -export -descert -password pass:test1234 -nodes -inkey device-priv-Key.pem -in device-cert.pem -certfile ca-cert.pem -out rv340-devicecert1.p12

 

>>>>Unfortunately the EC P-384 Certificates are not supported, are it?

Yes elliptic-curve certs are not supported....yet i guess

 

Some Notes:

1. Lastly, you can import ONLY Bundled-CA-certficates, you know, such as containing "RootCAcert.pem+Intermediate-CA1.pem+Intermediate-CA2.pem...". But this bundling of the CA-certs has to be in a certain order

 

For example1: if there is a Intermediate-CA-cert and the top-level main root-CA cert that signed the Intermediate-CA

 

- then the ca-bundle has to be created in the below order in the pem file (say ca-bundle1.pem) 

 

<Intermediate-CA-first>

<Main-RootCA-that-signed-above-IntermediateCA-below next here>

 

=================================

 

For example2: if there is a Intermediate-CA1-cert and it is signed by top-level Intermediate-CA2-cert.pem and this is signed by the next top-level main root-CA-cert

- then the ca-bundle has to be created in the below order in the pem file (say ca-bundle2.pem) 

 

<Intermediate-CA1-first>

<Intermediate-CA2-second>

<Main-RootCA-that-signed-above-IntermediateCA2-below next here>

 

=============================

 

2. Please note that the Bundled-CA-certs can be used ONLY with the SSL-VPN (the Cisco-AnyConnect sslvpn server on RV340). Its not supported for the IPsec-VPN tunnels (s2s or c2s), becos the underlying IPsec-VPN application running on RV34X is the open source Strongswan which does not support bundled-CA-certs for IKE-auth at all....Strongswan has an issue parsing the ca-bundle

 

This is not to say that you cannot have ca-chains used for the IPsec vpn..its just that - the solution is to import the Intermediate-CA and the RootCA as Ca-pem files separately and then Strongswan will automatically now check the entire CA-chain for verifying the device-certs used in the IKE-auth process...so its just that you need to break up the ca-bundle if you want to use it for IPsec-VPN

- So what i do is i import the CA-bundle file and also the individual Intermediate-CAs and the top-level root-CAs and refer them as required in sslvpn and ipsec-vpn configs respectively...

 

 

 

 

 

Thank you, I will try it!

 

Am I somehow able to remove the hidden wrong pkcs#12 files? (I use the web GUI yet)

I tried it, but still not work.

 

openssl pkcs12 -export -descert -password pass:password -nodes -inkey ${FILE_NAME}-key.pem -in ${FILE_NAME}-cert.pem -certfile ca-cert.pem -out ${FILE_NAME}-key.p12 

 

Still successful uploaded but not in the list at 'Certificate Table' and not listed in VPN / SSL VPN.

 

Updates:

I tried it with RSA 2048 and that is work!

 

BUG:

The RV340 router not support RSA 3072, but possible to upload that, then that will reserve hidden storage space.

 

nagrajk1969
Spotlight
Spotlight

Ok, Thank you. I think there must be some other reason for the 3072-bit certificate import (using pkcs12) not working. Becos i have successfully imported multiple times 4096-bit certificates (including importing 4096-bit CA certificates, and 4096-bit bundled CA-chains) on a RV340/345 router. It works for sure

 

So i think i will also run a check with 3072-bit certs import and post you the results ASAP

 

regards

 

 

 

 

Thank you, may, 3072 bit private key is the reason? Do you ever use 4096 bit RSA priv key in that router?

 

(My CA is an P-384 elliptic curve cert. but is work well when I sign the 2048 bit RSA.)

nagrajk1969
Spotlight
Spotlight

Hi

 

Your observation with rsa-3072bit certificates import is correct. There is a BUG when we import 3072-bit certificates into RV340/34X only

 

Its working correctly when we import the same on RV160/260...there is no issues on these routers

 

>>>3072 bit private key is the reason?

No. Its more of a GUI display issue, especially and only with 3072-bit certs....whereas there is no such display issue with 4096-bit imported certs

If there was an issue with private-key, the import itself would have failed....which is not the case here. The import is successfull BUT the display is a problem in GUI of RV34X routers...(its not an issue with same certs imported on RV160/260)

 

>>>Do you ever use 4096 bit RSA priv key in that router?

Yes. I have. I again created another 4096-bit certs and importted the p12 file onto RV34X...its successfull and i can use them successfully in VPN and AnyConnect-SSLVPN, etc

 

 

 

Thank you!

I opened a ticket to solve the bug.

Review Cisco Networking for a $25 gift card