Using wildcard certificate on dell switches

Question

Hi,

I've been trying to import our wildcard certificate to a Dell N4032F switch, but I keep getting the error

"Error! Cound not import the crypto Certificate" (Using CLI)

or

"Failed to import certificate" (Using HTTPS)

What am I doing wrong? I'm copy-pasting the content of the .crt file.

Hope you can help

moxom · Answer

Hi Daniel,

For now I'm trying to import it on a Dell N4032F switch.

Firmware version is 6.3.3.9

I've done it either by copy-pasting the certificate using HTTPS, or by issuing the command "crypto certificate 1 import", which tells me to paste the certificate followed by a ".". I have disabled HTTPS before issuing the command.

Its a wildcard x509 certificate:

root@web:/etc/apache2/ssl# openssl x509 -in mydomain.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
37:21:bc:x5:eb:46:fe:a5:63:e4:25:96
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
        Validity
            Not Before: Feb 12 09:14:49 2018 GMT
            Not After : Feb 13 09:14:49 2020 GMT
        Subject: OU = Domain Control Validated, CN = *.mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit

If this isn't the correct cert, which one should i get, to get rid of the security warning using https to the switches?

moxom · Answer

That's what I'm doing already, and it works.

Only problem is that my boss would like to get rid of the certificate warnings due to the self-signed certificate. Therefore, we would like to import our own certificate. Could you please help me do that, or tell me what's required to get it to work?

Thanks in advance

lazrtap · Answer

Recently I wanted to import a commercial wildcard certificate onto my Dell N3024 switch.

The documentation was not very helpful as it only contains information about generating a self-signed certificate or a certificate request to be signed by a Certificate Authority.

Since I wanted to use a certificate I already have I had come up with a way of importing that certificate.

These are the to files (certificate + private key) I've bought:

wildcard.crt

-----BEGIN CERTIFICATE-----
MIIGmDCCBYCgAwIBAgIQcmR+q4ihWi1sTWfLEFH1QjANBgkqhkiG9w0BAQsFADCB
[ some garbled text ]
DXz0omzVFR9ECGcc
-----END CERTIFICATE-----

private.key

In order to import them you have to have them on a server or an USB stick and copy them directly on the switch.

I've used a linux box in my network with the IP of 192.168.1.7
Both files were stored in /home/username dir:

/home/username/wildcard.crt
/home/username/private.key

Connect to the switch and login.
Copy the private key.

Note: The path points to the home directory of the user not the root of the filesystem.

n3024>en
Password:********

n3024#copy scp://username@192.168.1.7/private.key flash://sslt_key1.pem

Remote Password:*********

Transfer Mode.................................. SCP
Server IP Address.............................. 192.168.1.7
Source File Path............................... ./
Source Filename................................ private.key
Data Type...................................... Raw

Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y

1679 bytes transferred

File transfer operation completed successfully.

Now copy the certificate:

n3024#copy scp://username@192.168.1.7/wildcard.crt flash://sslt_cert1.pem

Remote Password:*********

Transfer Mode.................................. SCP
Server IP Address.............................. 192.168.1.7
Source File Path............................... ./
Source Filename................................ wildcard.crt
Data Type...................................... Raw

Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y

2346 bytes transferred

File transfer operation completed successfully.

The last thing you have to do is to enable HTTPS with that certificate:

n3024#config

n3024(config)#ip http secure-certificate 1

n3024(config)#ip http secure-server

n3024(config)#exit

n3024#wr

This operation may take few minutes.
Management interfaces will not be available during this time.

Are you sure you want to save? (y/n) y

Configuration Saved!

No you can connect to https:// and verify if the certificate is properly configured.

You can have up to two cerificates installed on the switch.
If you want to add a second one just change the 1 in the sslt_*.pem filenames to 2, ie.:

copy scp://username@192.168.1.7/other_private.key flash://sslt_key2.pem
copy scp://username@192.168.1.7/other_wildcard.crt flash://sslt_cert2.pem

austin-t · Answer

### Self signed certificate method 10 year certificate
openssl req -x509 -newkey rsa:2048 -sha256 -keyout my.key -out my.crt -subj "/CN=domain.co.uk" -days 3650
openssl pkcs12 -export -name “domain.co.uk” -out my.pfx -inkey my.key -in my.crt
openssl pkcs12 -in my.pfx -clcerts -nokeys -out my.crt
openssl rsa -in my.key -out my-decrypted.key


### CA signed PFX certificate method
openssl pkcs12 -in domain.pfx -nocerts -out domain.key
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.crt
openssl rsa -in domain.key -out domain-decrypted.key

### On the switch
copy tftp://10.0.0.1/my-decrypted.key flash://sslt_key1.pem
copy tftp://10.0.0.1/my.crt flash://sslt_cert1.pem

config
ip http secure-certificate 1
no ip http secure-server
ip http secure-server

show ip http server secure status
show crypto certificate mycertificate #### Does nothing!!

Use Chrome to examine the cert now assigned to the switches https:// interface

Networking General

Using wildcard certificate on dell switches

Was this post helpful?