Cisco SPS2024 and SSL certificate import issue

Michal Bruncko · ‎03-01-2012

Hi guys,

I am trying to import a SSL certificate into this device - Cisco SPS2024 (FW: 1.0.6 ( date 30-Aug-2011 time 15:45:47 )) but without sucess. I have allready did this task on another models through CLI (Cisco SRW224G4 - through the lcli) or on Cisco SG300.

I can create certificate request with:

switch(config)#crypto certificate 1 generate key-generate

switch#crypto certificate 1 request cn "sw.localdomain" or "..." ou "..." loc "..." st "..." cu "..."

and that last command gives me plaintext certification request that I will sign with my certification authority. to this time, everything is clear and perfect.

And now, I have signed certificate according generated certificate request and I want to import it. And now I am in stuck, because I have not found any useful command to do this action. For import certificate, I have found only following command:

switch# crypto certificate 1 import pkcs12 WORD

also I dont exactly understand this command because there is no parameter to specify any url from which will be fetched pkcs12 certificate... just WORD parameter as the pkcs12 passphrase.

nothing like as on another switch models on which there is following command:

switch2(config)# crypto certificate 1 import <CR>

after executing the command line will waiting for pasting the signed certificate to console. And on SPS2024 there is no any similar command to doing this. So in final, I cannot import certificate signed by my certificate authority, I can just generate self signed certificate directly on device and use only this one

So... is this bug or "feature"?

thanks for any help/hint/navigation

Michal Bruncko · ‎03-05-2012

Just for sure: there is guide - SPS208G/SPS224G4/SPS2024 Ethernet Switches Command Line Interface (http://www.cisco.com/en/US/docs/switches/metro/csbpgss/sps/cli/guide/SPS_CLI_RG_OL-18485-01b.pdf) in which are all supported commands for all mentioned switch models also with commands regarding SSL certificates and especially for import:

crypto certificate import

To import a certificate signed by Certification Authority for HTTPS, use the crypto certificate import command in global configuration mode.

Syntax:

crypto certificate import

But on my device SPS2024 execution of that command result with following output:

switch# conf

switch(config)# crypto certificate 1 import

% Unrecognized command

Michal Bruncko · ‎03-06-2012

Can I consider this as bug of this version of firmware? Can anyone confirm this issue?

Michal Bruncko · ‎02-25-2014

I am returning back to this old thread which I've opened that time as I have looked more into this.

Facts:

- command "crypto certificate 1 import pkcs12 WORD" is not documented at all. I have not found about this nowhere.

- inside the documenation there is only classic certificate import command "crypto certificate 1 import" without asking for pkcs12 pass or similar - but of course this command is not available in SPS switch software.

On the other side I've tried to work with that available command "crypto certificate 1 import pkcs12". As I understand from Cisco ASA command reference where the similar command is used, this command expecting pkcs12 password (at least with eight characters) followed by base-64 formatted pkcs12 certificate pack.

So I decided to do the following:

- created key (in switch using "crypto certificate 2 generate key-generate")

- created certificate sign request (again within switch using "crypto certificate 2 request")

- this request signed by my certification authority

- resulted certificate converted into pkcs12 form (of course without key as it still remains in switch store without chance for extraction)

- converted pkcs12 form with base64 encoding

- and finally tried to import in switch software

but the only thing that I get after import is error message "SSL can't import certifcate and key - check that passphrase was correct."

So I decided to try following:

- created key, certificate sign request - both externally, not within switch - and I sign that CSR with my CA

- exported both key+certificate into pkcs12 format with password longer than seven characters

- converted pkcs12 certificate into base64 format

- and finally tried to import it using mentioned switch command - but again with same error message.

There is possibly another way how to manage switch certificate - using RADLAN-SSL SNMP MIB structure. But all my tries to modify "rlSslCertificateImportTable" using snmpset resulted into error that this structure is not modifable (even if it should be according MIB definition and my "DefaultSuper" RW permission. So now I am completely lost

Of course there is no way how to manage SSL certificates using Web GUI.

My questions are:

- what I am doing wrong? Even if this command is undocumented, there is chance that it is working. But I am not sure if it is working correctly.

- is here anyone who rakes with same issue on SPS2024 switch and found way how to do it?

Michal Bruncko · ‎02-25-2014

My only surpise is that older switches SRW224G4 has working certificate import functionality inside hidden CLI interface, but here in SPS2024 - where the CLI is officially included - this support is lacking documentation and ability to work.

Cisco SPS2024 and SSL certificate import issue

Cisco Business Product Family

Cisco Switching Product Family