Solved: SG300-28 Importing Self-Signed SHA2 Certificate For SSL (Which format? How?)

chgu00001 · ‎02-16-2015

1. What format should a certificate and private key combo have when importing it for SSL-usage?

2. How do you actually import it - either via CLI or the web interface.

I'm trying to import a self-signed SSL certificate into the SG300-28 to secure the connection to the web interface of the switch. The certificate is signed by my own "Certificate Authority" / custom root certificate.

I've tried doing so via the web management GUI (Security > SSL Server > SSL Server Authentication) and the command line via SSH. I'll detail my exact process below. I've had no problem importing a certificate created in the same way to the Cisco RV320 router, though the web interface is different.

How do you create a certificate that is accepted by the switch?

Firmware Version (Active Image): 1.4.0.88

My Process:

OpenSSL 1.0.1f 6 Jan 2014; on an ubuntu 14.04 machine
Create my own, self signed root certificate:

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem

3. Create a private key and the actual certificate and sign them using the rootCA.pem:

openssl genrsa -out switch.key 2048
openssl req -new -key switch.key -out switch.csr
openssl x509 -req -in switch.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out switch.crt -days 3500

for later use, I export the public key from the switch.key-file using

openssl rsa -in switch.key -pubout > switch.pubkey

4. Open the switch's web interface and navigate to the SSL settings (Security > SSL Server > SSL Server Authentication).

4.1 Click 'Import Certificate'

4.2 paste the contents of the switch.crt file into the 'Certificate:'-textbox

4.3 enabling Import RSA Key-Pair

4.4 pasting the contents of the switch.pubkey-file into the Public Key box

4.5 selecting the 'Plaintext' radiobutton and pasting the contents of switch.pubkey into it

4.6 Click 'Apply'

4.7 Receive an 'Invalid key header' error message.

The private key looks like this (oviously, I've created a new one for this example):

I also receive an Invalid key header error when trying to import the private key via SSH/CLI using:

switch(config)#crypto key import rsa

I also converted the certificate and the private key to PKCS12 and then back to PEM which gives me the following private key 'header' which still is not accepted when pasting into the CLI:

Bag Attributes
    localKeyID: FE 24 88 34 66 BE E9 DB CE 4E 91 23 2C 0E 03 B1 A7 58 32 24 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvgIBA[...]
-----END PRIVATE KEY-----

What key header am I missing/what am doing wrong in general?

Michal Bruncko · ‎02-17-2015

It seems that "crypto key import rsa" command is not suited for importing SSL related private keys, but instead for importing SSH keys. "Key header is missing" code means that switch is expecting something else than "-----BEGIN RSA PRIVATE KEY-----", for example headers as you can see after executing "show crypto keys rsa" (---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----).

In order to get your SSL certificate installed you have two options:

CLI Option:

create RSA private key with command

switch(config)#crypto certificate 2 generate key-generate 1024

create certificate request with

switch#crypto certificate 2 request

(do not forget to supply all needed information for that command including "cn" and so on). Be aware that this command needs to be executed inside privileged mode and not configuration mode like previous command.

after executing that command you will get certificate sign request (CSR). Copy and paste it into new file on server which hosts your certification authority.
now sign that CSR file with command that you already used:

openssl x509 -req -in switch.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out switch.crt -days 3500

after signing simply open "switch.crt" file and copy all content between BEGIN and END section including.
and import that certificate with command

switch(config)#crypto certificate 2 import

and finally to have your certificate to be active, do it with following command:

switch(config)#ip https certificate 2

WebGUI option:

here the procedure is similar to CLI:

you have to click on "Generate certificate request" in "Security -> SSL Server -> SSL server authentication" section, fill all necessary data and click "Generate certificate request".
you will get CSR related data which you've to paste into server with CA certificate.
sign that certificate with similar openssl command like mentioned before
and import certificate with keeping "Import RSA Key-Pair" unchecked.

Personally I never managed to get imported both key and certificate from externally.

View solution in original post

Michal Bruncko · ‎02-17-2015

Hi

> I also receive an Invalid key header error when trying to import the private key via SSH/CLI

either you are importing certificate or key, you have to put only section within (including) BEGIN and END lines. I.e. for private key you should import:

-----BEGIN PRIVATE KEY-----
MIIEvgIBA[...]
-----END PRIVATE KEY-----

nothing before/after that part.

And same is true for WebGUI certificate import - there is also one mention: "When a Certificate and/or a Key is entered, it should contain the "BEGIN" and "END" markers."

chgu00001 · ‎02-17-2015

Thanks for your reply!

I'm aware that the BEGIN and END lines are required, and so I always included them, see my entire command line below:

switch#config
switch(config)#crypto key import rsa
Please paste the input now, add a period (.) on a separate line after the input
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3gOvNzKqULXnT7zL9fl4KJAZMo5eYHfwPSN0wl385na37oHz
[...]
aB7Pooa60anjIVJmlSIp4WJ8U+52BMKJZ5rqHnJ1sBBo1zpAtcdspg==
-----END RSA PRIVATE KEY-----
.
Key header is missing
switch(config)#

I thought it may be related to the key length, but importing a 1024-bit RSA key yields the same "Key header is missing" error.

Michal Bruncko · ‎02-17-2015

It seems that "crypto key import rsa" command is not suited for importing SSL related private keys, but instead for importing SSH keys. "Key header is missing" code means that switch is expecting something else than "-----BEGIN RSA PRIVATE KEY-----", for example headers as you can see after executing "show crypto keys rsa" (---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----).

In order to get your SSL certificate installed you have two options:

CLI Option:

create RSA private key with command

switch(config)#crypto certificate 2 generate key-generate 1024

create certificate request with

switch#crypto certificate 2 request

(do not forget to supply all needed information for that command including "cn" and so on). Be aware that this command needs to be executed inside privileged mode and not configuration mode like previous command.

after executing that command you will get certificate sign request (CSR). Copy and paste it into new file on server which hosts your certification authority.
now sign that CSR file with command that you already used:

openssl x509 -req -in switch.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out switch.crt -days 3500

after signing simply open "switch.crt" file and copy all content between BEGIN and END section including.
and import that certificate with command

switch(config)#crypto certificate 2 import

and finally to have your certificate to be active, do it with following command:

switch(config)#ip https certificate 2

WebGUI option:

here the procedure is similar to CLI:

you have to click on "Generate certificate request" in "Security -> SSL Server -> SSL server authentication" section, fill all necessary data and click "Generate certificate request".
you will get CSR related data which you've to paste into server with CA certificate.
sign that certificate with similar openssl command like mentioned before
and import certificate with keeping "Import RSA Key-Pair" unchecked.

Personally I never managed to get imported both key and certificate from externally.

chgu00001 · ‎02-19-2015

I followed your instructions for the CLI and it worked perfectly. Thank you very much!

Dirk Dittert · ‎02-17-2015

I'm sorry to hear that you seem to have a very similar problem as I did. Unfortunately, Cisco only cares about customers within their support period and will not accept bug reports after that. Back then, I was so pissed about all the time I spent figuring out what was broken with their SSL setup that I didn't update my forum thread with the solution I found:

https://supportforums.cisco.com/discussion/12193976/please-improve-openssl-compatibility-ssl

Last time I did this, there were the following pitfalls with this procedure:

Everything needs to be in PEM format. PKCS12 does not work. SHA-2 certificates might not be accepted at all by the switch. But don't worry, it will not tell you that fact in an understandable way.
The headers (BEGIN RSA PUBLIC KEY) must be exactly the same as in the output the Cisco switch generates. The headers provided by Openssl do not work.
Formatting has to be exactly as the Cisco switch expects it. Unfortunately, I don't remember which on it was.: It could have been joining all lines of the key/cert to a single line. But I believe it was breaking them up at the line length the cisco also outputs them. I believe OpenSSL outputs 64 characters per line whereas the Ciso expects 80?

Sorry for being that vague but I just don't remember exactly anymore. I have only done this for SHA-1 certificates.

Everything is far more complicated than on the other devices where I set this up for no good reason. Why not just upload a PKCS12 file be done with it?

Hope that helps!

guyhalestorm · ‎12-23-2015

I knew there had to be a way to make the GUI work, and I finally figured it out. I know you've marked this as answered, but in case someone wants to use the GUI, I wrote up how to fix it here: https://severehalestorm.net/?p=54. ; Hope someone finds it helpful!

fidgety · ‎08-24-2018

Thanks! this fixed my problem.