This makes you wonder how

Mads Fog Albrechtslund · ‎06-14-2016

Hi

I have a SG300-28 on which I am trying to import a SSL Certificate, Private Key and Public Key, but I can't get it to work.

Information about the SG300-28:

HW VID=02

Active Firmware = 1.4.5.02

Boot Version = 1.3.5.06

I am using the CLI, because the GUI has issues with certificates which are long (the actual text inside the cert), in which the GUI just clips the pasted text.

If I run:

crypto certificate 2 import

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAnhChmJH/KkhHJO9JAdWmUvi7EQSc03CYpZmOasAUhZFjdjvm (clipped actual text)
-----END RSA PRIVATE KEY-----

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnhChmJH/KkhHJO9JAdWm (clipped actual text)
-----END PUBLIC KEY-----

-----BEGIN CERTIFICATE-----
MIIF/TCCBOWgAwIBAgIQUHknZOKEMNFLLCkD1nt3vDANBgkqhkiG9w0BAQsFADB4 (clipped actual text)
-----END CERTIFICATE-----

I get the following error:

Wrong public key header format

After carefully reading the manual, I see that the CLI crypt certificate import function, expects the PUBLIC KEY header to actually be "BEGIN RSA PUBLIC KEY", even though that is not how a public key should be formatted.

Trying again with edited PUBLIC KEY header:

crypto certificate 2 import

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAnhChmJH/KkhHJO9JAdWmUvi7EQSc03CYpZmOasAUhZFjdjvm (clipped actual text)
-----END RSA PRIVATE KEY-----

-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnhChmJH/KkhHJO9JAdWm (clipped actual text)
-----END RSA PUBLIC KEY-----

-----BEGIN CERTIFICATE-----
MIIF/TCCBOWgAwIBAgIQUHknZOKEMNFLLCkD1nt3vDANBgkqhkiG9w0BAQsFADB4 (clipped actual text)
-----END CERTIFICATE-----

I get the following error:

Failed to load public key

If I try to omit the PUBLIC KEY completely:

crypto certificate 2 import

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAnhChmJH/KkhHJO9JAdWmUvi7EQSc03CYpZmOasAUhZFjdjvm (clipped actual text)
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIF/TCCBOWgAwIBAgIQUHknZOKEMNFLLCkD1nt3vDANBgkqhkiG9w0BAQsFADB4 (clipped actual text)
-----END CERTIFICATE-----

I get the following error:

SSL saved private key did not match the imported certificate.

Information about the Certificate:

Certificate CSR was generated on a Mac, running Mac OS X 10.10.5 Yosemite, withOpenSSL 0.9.8zg

CSR and Key generated using the following command:

openssl req -new -newkey rsa:2048 -nodes -out sg300.csr -keyout sg300.key -subj "/C=DK/ST=Jylland/L=Hedensted/O=Hazenet/OU=Home/CN=sg300.hazenet.dk"

The CSR was signed at StartSSL, using their free Class 1 service.

Anybody knows how to get this to work?

Either in CLI or in GUI.

I would prefer to be able to import this certificate, and not needing to generate a new certificate on the actual SG300 switch, using the GUI or CLI.

Dirk Dittert · ‎01-28-2017

This makes you wonder how Cisco ever managed to create a certificate to verify that this functionality actually works...

Please see here: Three years old but still this is the most current information on this topic. Please provide feedback there if phlafeil's instructions do or do not work for you!

Alternatively, you can create a CSR on the device and sign that. Importing the resulting certificate also works on the SG300 series.

You should also consider disabling HTTPS on those devices. SSL encryption (especially with key sizes > 1024bit) slows the web interface down.

Jan Kolecek · ‎09-25-2023

Hello @Dirk Dittert,

thanks for your link. It also helped me with the CBS350 series switch. Really poor implementation of the certificate import. I do not understand why the GUI is forcing users to copy-paste the certificates in text form while it would be more effective to have the possibility of importing of PKCS#12/PFX certificates as one single file processed internally.

Issue with importing SSL certificate on SG300-28