Catalyst C1200 - unable to import ZeroSSL certificate

jan-skocdopole · ‎02-17-2025

Hello everyone,

I'm having trouble importing an SSL certificate to my Catalyst C1200, and I would greatly appreciate your help.

Goal / Motivation
I want to enable HTTPS access to my C1200 using a valid TLS certificate issued by a trusted certification authority. This way, I can avoid the net::ERR_CERT_AUTHORITY_INVALID error in my browser when accessing the web interface.

Device
Model: Cisco Catalyst C1200-48P-4X
Firmware: Latest version (4.1.3.36)

Preparation
Using my computer, I successfully requested a free domain-validated certificate from ZeroSSL via acme.sh with ACME-DNS validation. The certificate was issued for my switch’s domain name and uses RSA 2048 / SHA-256 as the signature algorithm.

I have the following files:

unencrypted private key
public key (extracted from the certificate using OpenSSL)
CA root certificate
fullchain certificate (includes the CA certificate, intermediate certificate, and the switch’s domain certificate in one file)

Problem
When I try to import the certificate via the web interface (Security > SSL Server > SSL Server Authentication Settings), I get an error:
"Failed to load public key"

I encountered a similar issue with a CBS350 (tried both web and SSH-based import) but eventually gave up. However, I expected better functionality from this newer model.

Has anyone successfully used a ZeroSSL or Let's Encrypt certificate on a CBS350/C1200/C1300? Any advice on resolving this issue would be greatly appreciated!

Thanks in advance!

Flavio Miranda · ‎02-17-2025

@jan-skocdopole

The process to install certificate in a device usually start with the CSR file creation on the device. When crearing the CSR file,the private Key is created

Then, you export the CSR file to your CA and they sign the CSR file thus crearing the certificate. You can then import the certificate to your device.

liviu.gheorghe · ‎02-17-2025

Hello @jan-skocdopole ,

take a look at the following video guide zerossl certificate installation cisco switch. I think it's what you are looking for.

HTH

Regards, LG
*** Please Rate All Helpful Responses ***

jan-skocdopole · ‎02-19-2025

Hello everyone,

Thank you for your help! The issue was related to the public key extraction process. When I extracted the key from the certificate, I got an incorrect result, but extracting it from the private key worked correctly.

I have one more question—do you have any recommendations on automating the process of pushing a new certificate to a switch? Since there is no ACME client or scripting option available for IOS, I can’t renew the certificate directly on the switch. However, I can renew the certificate for the switch’s domain name on my Linux server using the ACME-DNS challenge. The challenge, however, is that I still need to upload the renewed certificate manually.

Given that ZeroSSL certificates have a 90-day validity period and I need to manage this for dozens of switches, automation would be extremely helpful. Is there a way to streamline this process, perhaps via SSH?

I appreciate your advice.

Best regards,
Jan Skočdopole

liviu.gheorghe · ‎02-19-2025

You are welcome.

I know the issue, I have the same one with LetsEncrypt certificates which also have 90 days availability. I am currently investigating a method of automating the process - I have a linux server with LetsEncrypt certbot installed which renews certificates automatically for my domain. Once I will figure it out, I will let you know.

Regards, LG
*** Please Rate All Helpful Responses ***