moxom
2 Bronze

Using wildcard certificate on dell switches

Hi,

I've been trying to import our wildcard certificate to a Dell N4032F switch, but I keep getting the error

"Error! Cound not import the crypto Certificate" (Using CLI)

or

"Failed to import certificate" (Using HTTPS)

 

What am I doing wrong? I'm copy-pasting the content of the .crt file.

 

Hope you can help 

Labels (1)
0 Kudos
6 Replies
Anonymous
Not applicable

Re: Using wildcard certificate on dell switches

What kind of certificate are you trying to import? Which command are you running to import? What firmware is the switch running?

0 Kudos
moxom
2 Bronze

Re: Using wildcard certificate on dell switches

Hi Daniel,

For now I'm trying to import it on a Dell N4032F switch.

Firmware version is 6.3.3.9

I've done it either by copy-pasting the certificate using HTTPS, or by issuing the command "crypto certificate 1 import", which tells me to paste the certificate followed by a ".". I have disabled HTTPS before issuing the command.

Its a wildcard x509 certificate:

root@web:/etc/apache2/ssl# openssl x509 -in mydomain.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            37:21:bc:x5:eb:46:fe:a5:63:e4:25:96 
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
        Validity
            Not Before: Feb  12 09:14:49 2018 GMT
            Not After : Feb  13 09:14:49 2020 GMT
        Subject: OU = Domain Control Validated, CN = *.mydomain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit

 

If this isn't the correct cert, which one should i get, to get rid of the security warning using https to the switches?

0 Kudos
Anonymous
Not applicable

Re: Using wildcard certificate on dell switches

You should be able to use these commands to enable HTTPS and generate a certificate the switch can use.

  • console(config)# crypto certificate 1 generate
  • console(config-crypto-cert)#key-generate <512-2048>
  • console(config-crypto-cert)#exit
  • console(config)# ip http secure-certificate <1 - 2> Instance of the certificate to be activated.
  • console(config)# ip http secure-server

Here is the KB article: https://dell.to/2oNNCWH

If that doesn't work, could you please include a screenshot of the message you are receiving.

Thanks

0 Kudos
moxom
2 Bronze

Re: Using wildcard certificate on dell switches

That's what I'm doing already, and it works.

 

Only problem is that my boss would like to get rid of the certificate warnings due to the self-signed certificate. Therefore, we would like to import our own certificate. Could you please help me do that, or tell me what's required to get it to work?

 

Thanks in advance

0 Kudos
Anonymous
Not applicable

Re: Using wildcard certificate on dell switches

The command you are using to import is the correct command. Here are some other points to keep in mind.

-The imported certificate must be based on a certificate request created by the crypto certificate request Privileged Exec command.

-If the public key found in the certificate does not match the switch's SSL RSA key, the command fails.

-Certificates are validated on input. The system log will show any encountered certificate errors such as invalid format or if the certificate could not be validated against the switch private key. Invalid certificates are not imported. The signed certificate must contain the switch public key and match the RSA key on the switch and must be in X509 PEM text format.

 

Here are steps outlined by another community member on what worked for them.

https://dell.to/2p2UG1Y

"generated Key+CSR with OpenSSL in RSA 2048Bit SHA-256.The naming of the key on the switch is sslt_key1.pem and the cert is sslt_cert1.pem. Copy these files to flash:// and they override the existing ones, reload the website and it's working."

lazrtap
1 Copper

Re: Using wildcard certificate on dell switches

Recently I wanted to import a commercial wildcard certificate onto my Dell N3024 switch.

The documentation was not very helpful as it only contains information about generating a self-signed certificate or a certificate request to be signed by a Certificate Authority.

Since I wanted to use a certificate I already have I had come up with a way of importing that certificate.

These are the to files (certificate + private key) I've bought:

wildcard.crt

-----BEGIN CERTIFICATE-----
MIIGmDCCBYCgAwIBAgIQcmR+q4ihWi1sTWfLEFH1QjANBgkqhkiG9w0BAQsFADCB
[ some garbled text ]
DXz0omzVFR9ECGcc
-----END CERTIFICATE-----

private.key

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEArWzkKUGgps1yL2zP+FnSi/VHBwVwVwQhhEasfft7Q8oq2AXQ
[ some garbled text ]
kHgiAa5fTAcMiDa3OfFiy5cuDxlYTI3PpvxXGRVgM2vw+61Qof47fA==
-----END RSA PRIVATE KEY-----

In order to import them you have to have them on a server or an USB stick and copy them directly on the switch.

I've used a linux box in my network with the IP of 192.168.1.7
Both files were stored in /home/username dir:

/home/username/wildcard.crt
/home/username/private.key

Connect to the switch and login.
Copy the private key.

Note: The path points to the home directory of the user not the root of the filesystem.

n3024>en
Password:********

n3024#copy scp://username@192.168.1.7/private.key flash://sslt_key1.pem

Remote Password:*********

Transfer Mode.................................. SCP
Server IP Address.............................. 192.168.1.7
Source File Path............................... ./
Source Filename................................ private.key
Data Type...................................... Raw

Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y

1679 bytes transferred

File transfer operation completed successfully.

Now copy the certificate:

n3024#copy scp://username@192.168.1.7/wildcard.crt flash://sslt_cert1.pem

Remote Password:*********

Transfer Mode.................................. SCP
Server IP Address.............................. 192.168.1.7
Source File Path............................... ./
Source Filename................................ wildcard.crt
Data Type...................................... Raw

Management access will be blocked for the duration of the transfer
Are you sure you want to start? (y/n) y

2346 bytes transferred

File transfer operation completed successfully.

The last thing you have to do is to enable HTTPS with that certificate:

n3024#config

n3024(config)#ip http secure-certificate 1

n3024(config)#ip http secure-server

n3024(config)#exit

n3024#wr

This operation may take few minutes.
Management interfaces will not be available during this time.

Are you sure you want to save? (y/n) y

Configuration Saved!

No you can connect to https://<switch_ip> and verify if the certificate is properly configured.

You can have up to two cerificates installed on the switch.
If you want to add a second one just change the 1 in the sslt_*.pem filenames to 2, ie.:

copy scp://username@192.168.1.7/other_private.key flash://sslt_key2.pem
copy scp://username@192.168.1.7/other_wildcard.crt flash://sslt_cert2.pem

 

0 Kudos