Connectrix Brocade B-Series: How to enable HTTPS web tools UI access on Brocade switches with self-signed certificates in Fabric OS 8.0.x and lower.
Summary: How to enable HTTPS web tools UI access on Brocade switches with self-signed certificates in Fabric OS 8.0.x and lower.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
HTTPS access on web tools UI can only be activated with a correct certificate.
Instead of getting an official certificate from Certificate Authority (CA) or other companies, you can create a self-signed certificate for internal usage.
There are two issues with higher code.
1. There is a defect, as described in the article which prevents the use of the export and import function in Fabric OS 8.1.x.
2. In 8.2.x code, the command secertutil is being deprecated and replaced using the command seccertmgmt. On how to set https in switches with fabric OS 8.1.x and higher see article:
Connectrix Brocade B-Series: How to enable HTTPS web tools UI access on Brocade switches with self-signed certificates in Fabric OS 8.1.x and above.
To keep it simple, use secertutil with FOS 8.0.x and below and secertmgmt in Fabric OS 8.1.2x and above.
For explanation of secertmgmt in Fabric OS 8.1.x and above see article:
"How to enable HTTPS web tools UI access on Brocade switches with self-signed certificates in Fabric OS 8.1.x and above."
Cause
The cause is being investigated.
Resolution
The principal of generating the self-signed certificate is to create the Privacy Enhanced Mail (PEM) file, which then is imported into the switch.
There are several options on how to generate a self-signed certificate:
a. We can use a Linux OS (a live image like Linux-Mint, or Ubuntu makes it easier) with openssl installed.
b. We can use a third-party OpenSSL program installed on Windows, example OpenSSL light, version 1.0.2 32 bit from Shining Light Productions.
c. Generate the private key by logging into the switch as root and using the in-built OpenSSL binary.
b. We can use a third-party OpenSSL program installed on Windows, example OpenSSL light, version 1.0.2 32 bit from Shining Light Productions.
c. Generate the private key by logging into the switch as root and using the in-built OpenSSL binary.
In this example, we use the easiest solution and generate the key on the switch which needs root user access.
Both files are located in directory: /etc/fabos/certs/sw0
This needs ROOT user access, CAUTION is advised, and wrong use of the root user access may render the switch unusable.
The full example:
Note: The IP addresses, Certificate-Signing Request (CSR), and PEM filename are for this example only and are switch-specific. Do not copy and paste.
1. Log in the switch as root user and change the directory:
1. Log in the switch as root user and change the directory:
switch_55:FID55:root>
Changed directory to /etc/fabos/certs/sw0 :
switch_55:FID55:root>
switch_55:FID55:root> cd /etc/fabos/certs/sw0
2. Check if you are in the correct directory:
switch_55:FID55:root> pwd
/etc/fabos/certs/sw0
switch_55:FID55:root>
3. Check if there is anything in the directory:
switch_55:FID55:root> ls
switch_55:FID55:root>
If there are, for example old CSR and pen files, they can be removed, if needed, with the rm <filename> command.
4. Generate the public-private key pair in interactive mode:
switch_55:FID55:root>
switch_55:FID55:root> seccertutil genkey
Generating a new key pair automatically does the following:
1. Delete all existing CSR files.
2. Delete all existing certificates.
3. Reset the certificate filename to none.
4. Disable secure protocols.
Continue (yes, y, no, n): [no] y
Select key size [1024 or 2048]: 2048
Generating new rsa public/private key pair
Done.
switch_55:FID55:root>
5. Check if there is anything in the directory:
switch_55:FID55:root>
switch_55:FID55:root> ls
pvt_key
switch_55:FID55:root>
6. Generate the CSR file in interactive mode:
switch_55:FID55:root>
switch_55:FID55:root> seccertutil gencsr
Input hash type (sha1 or sha256): sha1
Country Name (2 letter code, eg, US):US
State or Province Name (full name, eg, California):California
Locality Name (eg, city name):San Jose
Organization Name (eg, company name):Brocade
Organizational Unit Name (eg, department name):IT
Common Name (Fully qualified Domain Name, or IP address):192.yyy.zz.xx1 (IP address of the switch)
Generating CSR, file name is: CSR_filename.csr
Done.
switch_55:FID55:root>
7. Check if the file is created and in the directory:
switch_55:FID55:root>
switch_55:FID55:root> ls
CSR_filename.csr pvt_key
switch_55:FID55:root>
8. Open openssl shell:
switch_55:FID55:root>
switch_55:FID55:root> openssl
OpenSSL>
9. Generate the self-signed key and the PEM:
OpenSSL> x509 -req -days 999 -sha1 -in /etc/fabos/certs/sw0/CSR_filename.csr -signkey /etc/fabos/certs/sw0/pvt_key -out /tmp/pem_filename.pem
Signature ok
subject=/C=US/ST=California/L=San Jose/O=Brocade/OU=IT/CN=192.yyy.zz.xx1
Getting Private key
OpenSSL>
Note:
## This creates the file in the "
## The
## This creates the file in the "
/tmp" directory on the switch.
## The
x509 command might have different arguments in different versions of FOS, but the principal is the same.
10. Type exit to get out of the openssl shell.
OpenSSL>
OpenSSL> exit
switch_55:FID55:root>
11. To check if the file is in the /tmp directory;
switch_55:FID55:root>
switch_55:FID55:root> pwd
/etc/fabos/certs/sw0
switch_55:FID55:root>
switch_55:FID55:root> ls /tmp | grep pem
.__condbmm.0 pem_filename.pem
switch_55:FID55:root>
12. Import the PEM file with Secure Copy Protocol (SCP) from the tmp directory and enable HTTPS.
switch_55:FID55:root>
switch_55:FID55:root> seccertutil import -config swcert -enable https
Select protocol [ftp or scp]: scp
Enter IP address: localhost
Enter remote directory: /tmp
Enter certificate name (must have ".crt" or ".cer" ".pem" or ".psk" suffix):pem_filename.pem
Enter Login Name: root
root@localhost's password:
Success: imported certificate [192.yyy.zz.xx2.pem].
Certificate file in configuration has been updated.
Secure http has been enabled.
switch_55:FID55:root>
Test the HTTPS connection to the switch with Internet Explorer.
Additional Information
Connectrix Brocade B-Series: How to Enable HTTPS Webtools GUI Access on Brocade Switches
Duration: 00:07:08 (hh:mm:ss)
When available, closed caption (subtitles) language settings can be chosen using the CC icon on this video player.
Affected Products
ConnectrixArticle Properties
Article Number: 000029544
Article Type: Solution
Last Modified: 15 Oct 2025
Version: 7
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.