05-03-2014 02:39 PM
It would be nice if CSRs generated through the web interface were compliant with OpenSSL.
The problem is that CSRs can not be parsed by OpenSSL the way that they are shown in the HTML page:
openssl req -in csr.txt -noout -text says:
unable to load X509 request
139838211532448:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:805:
The reason for this is simple: OpenSSL expects the CSR to be wrapped after 64 characters but the SG300 generates them in a single line. Manually rewrapping the CSR allowed me to process the CSR in OpenSSL – but that's a fact that took about 8h to figure out...
Also: I was not able to import a public/private key combination that was generated through OpenSSL. One of the reasons is that the SG300 expects the banner for the public key to be BEGIN RSA PUBLIC KEY whereas OpenSSL seems to use BEGIN PUBLIC KEY. Even after fixing the header, all I managed to get was Failed to load public key. Finally, I gave up trying and used the CSR way to install the certificate. It would be great if the SSL handling were a little smoother. Thanks!
Firmware version is 1.3.7.18
05-05-2014 03:41 AM
Hello Dirk,
Your best bet for something like this would be to give us a call and ask to open a support case. Give the technician a link to this post and ask for an escalation for a feature request/bug. I can't guarantee what will be done about it, it may be working as intended, but I can get it to the right people.
Cisco Small Business Support Center Contact Numbers
Thank you for choosing Cisco,
Christopher Ebert - Network Support Engineer
Cisco Small Business Support Center
05-14-2014 03:45 AM
I'm sorry, I can't do that. I just got a nice strong kick in the butt for spending some extra time trying to help Cisco improve its products:
07-25-2016 04:56 AM
To import public/private key combination that was generated through OpenSSL, you need to transform them a little bit.
1) extract public key using the following command :
openssl rsa -in cert.pem -RSAPublicKey_out -out rsapubkey.pem
it will generate a banner using BEGIN RSA PUBLIC KEY
2) from Hex Editor, using RSA Public Key PEM file :
remove all 0a character BUT
○ The one just after -----BEGIN RSA PUBLIC KEY-----
○ The one just before -----END RSA PUBLIC KEY-----
(remove last 0a character too)
3) extract PlainText RSA Private Key from PEM file using the following command :
openssl rsa -in cert.pem -out rsakey.pem
it will generate a banner using BEGIN RSA PRIVATE KEY
4) from Hex Editor, using RSA Plain Text Private Key PEM file :
remove all 0a character BUT
○ The one just after -----BEGIN RSA PRIVATE KEY-----
○ The one just before -----END RSA PRIVATE KEY-----
(remove last 0a character too)
5) Just copy/paste updated content files to the cisco web interface
for certificate itself, from Hex Editor, using PEM file :
- Remove all before -----BEGIN CERTIFICATE-----
- Remove all after -----END CERTIFICATE-----
(remove last 0a character too, but keep all 0a character between the 2 previous tag. There are 1 every 64 characters)
After all this stuff, it should work ! (it worked for me)
09-25-2023 12:02 PM
Hello @phlafeil,
thank you for sharing your experience/know-how with us. I have a CBS350 series switch and nothing has changed so far. Your method also works with this switch. I do not really understand why there is so poor certificate input implementation. It is the first time I experienced GUI wants users to copy-paste certificates. I would prefer the possibility of importing of PKCS#12(PFX) certificate. I have one PFX certificate for multiple purposes (many different GUIs) and this is the worst implementation I have ever seen.
06-10-2024 04:24 AM
Did all the steps, but: SSL can't import certificate - conversion of input to certificate failed.
Why the heck is this so problematic??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide