moxom

21 Posts

4632

September 3rd, 2018 00:00

Using wildcard certificate on dell switches

Hi,

I've been trying to import our wildcard certificate to a Dell N4032F switch, but I keep getting the error

"Error! Cound not import the crypto Certificate" (Using CLI)

or

"Failed to import certificate" (Using HTTPS)

What am I doing wrong? I'm copy-pasting the content of the .crt file.

Hope you can help

Responses(7)

A

Anonymous

5 Practitioner

•

274.2K Posts

0

September 4th, 2018 12:00

What kind of certificate are you trying to import? Which command are you running to import? What firmware is the switch running?

moxom

21 Posts

0

September 7th, 2018 02:00

Hi Daniel,

For now I'm trying to import it on a Dell N4032F switch.

Firmware version is 6.3.3.9

I've done it either by copy-pasting the certificate using HTTPS, or by issuing the command "crypto certificate 1 import", which tells me to paste the certificate followed by a ".". I have disabled HTTPS before issuing the command.

Its a wildcard x509 certificate:

root@web:/etc/apache2/ssl# openssl x509 -in mydomain.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
37:21:bc:x5:eb:46:fe:a5:63:e4:25:96
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
        Validity
            Not Before: Feb 12 09:14:49 2018 GMT
            Not After : Feb 13 09:14:49 2020 GMT
        Subject: OU = Domain Control Validated, CN = *.mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit

If this isn't the correct cert, which one should i get, to get rid of the security warning using https to the switches?

A

Anonymous

5 Practitioner

•

274.2K Posts

0

September 7th, 2018 07:00

You should be able to use these commands to enable HTTPS and generate a certificate the switch can use.

console(config)# crypto certificate 1 generate
console(config-crypto-cert)#key-generate <512-2048>
console(config-crypto-cert)#exit
console(config)# ip http secure-certificate <1 - 2> Instance of the certificate to be activated.
console(config)# ip http secure-server

Here is the KB article: https://dell.to/2oNNCWH

If that doesn't work, could you please include a screenshot of the message you are receiving.

Thanks

moxom

21 Posts

0

September 12th, 2018 02:00

That's what I'm doing already, and it works.

Only problem is that my boss would like to get rid of the certificate warnings due to the self-signed certificate. Therefore, we would like to import our own certificate. Could you please help me do that, or tell me what's required to get it to work?

Thanks in advance

A

Anonymous

5 Practitioner

•

274.2K Posts

1

September 12th, 2018 08:00

The command you are using to import is the correct command. Here are some other points to keep in mind.

-The imported certificate must be based on a certificate request created by the crypto certificate request Privileged Exec command.

-If the public key found in the certificate does not match the switch's SSL RSA key, the command fails.

-Certificates are validated on input. The system log will show any encountered certificate errors such as invalid format or if the certificate could not be validated against the switch private key. Invalid certificates are not imported. The signed certificate must contain the switch public key and match the RSA key on the switch and must be in X509 PEM text format.

Here are steps outlined by another community member on what worked for them.

https://dell.to/2p2UG1Y

"generated Key+CSR with OpenSSL in RSA 2048Bit SHA-256.The naming of the key on the switch is sslt_key1.pem and the cert is sslt_cert1.pem. Copy these files to flash:// and they override the existing ones, reload the website and it's working."

L

lazrtap

3 Posts

0

July 5th, 2019 00:00

Recently I wanted to import a commercial wildcard certificate onto my Dell N3024 switch.

The documentation was not very helpful as it only contains information about generating a self-signed certificate or a certificate request to be signed by a Certificate Authority.

Since I wanted to use a certificate I already have I had come up with a way of importing that certificate.

These are the to files (certificate + private key) I've bought:

wildcard.crt

-----BEGIN CERTIFICATE-----
MIIGmDCCBYCgAwIBAgIQcmR+q4ihWi1sTWfLEFH1QjANBgkqhkiG9w0BAQsFADCB
[ some garbled text ]
DXz0omzVFR9ECGcc
-----END CERTIFICATE-----

private.key

In order to import them you have to have them on a server or an USB stick and copy them directly on the switch.

I've used a linux box in my network with the IP of 192.168.1.7
Both files were stored in /home/username dir:

/home/username/wildcard.crt
/home/username/private.key

Connect to the switch and login.
Copy the private key.

Note: The path points to the home directory of the user not the root of the filesystem.

n3024>en
Password:********

n3024#copy scp://username@192.168.1.7/private.key flash://sslt_key1.pem

Remote Password:*********

Transfer Mode.................................. SCP
Server IP Address.............................. 192.168.1.7
Source File Path............................... ./
Source Filename................................ private.key
Data Type...................................... Raw

Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y

1679 bytes transferred

File transfer operation completed successfully.

Now copy the certificate:

n3024#copy scp://username@192.168.1.7/wildcard.crt flash://sslt_cert1.pem

Remote Password:*********

Transfer Mode.................................. SCP
Server IP Address.............................. 192.168.1.7
Source File Path............................... ./
Source Filename................................ wildcard.crt
Data Type...................................... Raw

Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y

2346 bytes transferred

File transfer operation completed successfully.

The last thing you have to do is to enable HTTPS with that certificate:

n3024#config

n3024(config)#ip http secure-certificate 1

n3024(config)#ip http secure-server

n3024(config)#exit

n3024#wr

This operation may take few minutes.
Management interfaces will not be available during this time.

Are you sure you want to save? (y/n) y

Configuration Saved!

No you can connect to https:// and verify if the certificate is properly configured.

You can have up to two cerificates installed on the switch.
If you want to add a second one just change the 1 in the sslt_*.pem filenames to 2, ie.:

copy scp://username@192.168.1.7/other_private.key flash://sslt_key2.pem
copy scp://username@192.168.1.7/other_wildcard.crt flash://sslt_cert2.pem

AT

austin-t

84 Posts

0

December 8th, 2022 03:00

### Self signed certificate method 10 year certificate
openssl req -x509 -newkey rsa:2048 -sha256 -keyout my.key -out my.crt -subj "/CN=domain.co.uk" -days 3650
openssl pkcs12 -export -name “domain.co.uk” -out my.pfx -inkey my.key -in my.crt
openssl pkcs12 -in my.pfx -clcerts -nokeys -out my.crt
openssl rsa -in my.key -out my-decrypted.key


### CA signed PFX certificate method
openssl pkcs12 -in domain.pfx -nocerts -out domain.key
openssl pkcs12 -in domain.pfx -clcerts -nokeys -out domain.crt
openssl rsa -in domain.key -out domain-decrypted.key

### On the switch
copy tftp://10.0.0.1/my-decrypted.key flash://sslt_key1.pem
copy tftp://10.0.0.1/my.crt flash://sslt_cert1.pem

config
ip http secure-certificate 1
no ip http secure-server
ip http secure-server

show ip http server secure status
show crypto certificate mycertificate #### Does nothing!!

Use Chrome to examine the cert now assigned to the switches https:// interface

View All

No Events found!

Networking General

Using wildcard certificate on dell switches