Certificate manager and generating public keys

  • Hi,

    Not very experienced here, and definitely not a linux/command line pro!

    I'm trying to produce certificates for my Netgear GS728TP switch.  I've done it for a few other things but this time I'm stumped!

    I've produced the cert on pfsense as usual, and have the private key, the pk12 and the cert… but no public key and the switch wants the private and public keys as well as the certificate pasting in.

    How do I create a public key!?!?

    Thanks in advance

  • LAYER 8 Netgate

    They are probably talking about the private key and the certificate.

    What is the certificate on the switch for? An https web interface?

    (pfSense is based on FreeBSD not Linux.)

  • thanks for the reply….

    .... I thought this too as thats all I've ever used in the past.  I've attached the screen shot where they want it all.  I've tried missing the public key out and the interface says it needs them both.

    I've got the cert, the private rsa key (and a public.pem key) but i cant for the life of me figure out how to get the public rsa key!

    yes its for an https web interface on a Netgear GS728TP


    ![Screen Shot 2017-12-28 at 18.03.58.png](/public/imported_attachments/1/Screen Shot 2017-12-28 at 18.03.58.png)
    ![Screen Shot 2017-12-28 at 18.03.58.png_thumb](/public/imported_attachments/1/Screen Shot 2017-12-28 at 18.03.58.png_thumb)

  • LAYER 8 Netgate

    Honestly I have no idea what they are asking for there.

    Generally the three fields are for:

    Private Key
    Intermediate CA (if any)

  • Agreed…  I've been tearing my hair out all day trying to work it out!

    Netgear seem to be really bad at the SSL side of things!


  • LAYER 8 Netgate

    There is probably a way to make openssl extract that. Give me a bit.

    It's pretty stupid that they make you do that (I've never seen any other device on the planet ask for that for a web server certificate) but… it's netgear so that pretty much explains away any crappiness you might find.

  • Really appreciate the help.  They always seem to have some foible that makes these simple things really awkward!

    If it helps I'm running pfsense to generate certificates.

    (any recommendations for switches that are similarly priced and spec'd?)

  • LAYER 8 Netgate

    Try this:

    Diagnostics > Edit File

    Put /tmp/switch.key in the path and paste the private key in the main text window, with the begin and end lines included, and save.

    Then Diagnostics > Command Prompt

    Execute this shell command:

    openssl rsa -in /tmp/switch.key -RSAPublicKey_out

    Try using that output (don't copy that first "writing" line) in the public key field along with the cert and private key.

    If it doesn't like that try the output from:

    openssl rsa -in /tmp/switch.key -pubout

    If that doesn't work I'm out of ammo and you might consider either calling netgear or trying their forum

  • well its getting further than before!

    but its now saying "inconsistent value" what ever that means!

    What I've done is:

    1. used the .crt file as supplied by pfsense
    2. used the .key private key file as you directed to give the RSA public key
    3. generated the rsa private key file for the netgear web gui by using the following:openssl rsa -in ssl.key -out ssl.key

    I've a feeling stage 3 could be the place is going wrong!

    How should I be getting the RSA private key from the pfsense files?

    Thanks you so much btw - I've asked in netgear forums too :)

  • LAYER 8 Global Moderator

    I ran into a sim problem with the sg300 switch.. Public key is normally part of the cert.. That they want it on its own is pretty much nonsense.. Just create a csr and have your cert manager sign it.. You can add whatever SAN you want to add when you sign it with the cert manager..

    See this thread about using cert manager and other devices.

  • LAYER 8 Netgate

    Click the export key button on the certificate in the Certificate Manager. Use that as /tmp/switch.key.

    You have to derive the public key from the same private key that generated the modulus that was signed in the certificate. That is also what gets pasted into the switch private key field.

    Given that the exported format there is PRIVATE KEY not RSA PRIVATE KEY I would try -pubout first then -RSAPublicKey_out if that does not work.

    Yeah, John, since the public key can be derived from the private key, making the user jump through this hoop is asinine.

    Only increases my disdain for Netgear and every product they make. I despise the brand in its entirety.

    Yeah - or generate a CSR and sign that.

  • LAYER 8 Global Moderator

    Its worse than that Derelict the public key is actually part of the CERT.. There is no reason at all to post it on its own..

    openssl x509 -pubkey -noout -in cert.pem  > pubkey.pem

    So really have no idea why they go through such nonsense..  There is no need to post the public key extra.. All that is need for the server to be able to use that cert is the cert file and the key file..  And the CA that they can hand out in the chain, etc.

    I went through a bunch of nonsense in the latest beta of the sg300 firmware wanting specific format and key length issues, etc..  Just create the CSR on the switch, it was listed there in his screen shot.  Sign it and add whatever SAN you want.  Since pretty sure their csr will be very limited and only have CN.. When most browsers these days will balk unless there is a SAN matching the CN as well, etc.

  • what a loathesome piece of equipment….  I've done everything right to import the certificates, all fresh from the psfsene files and its still saying "incostistent value"  what ever that means!

    I'll try the signing root now and see if I have any more luck!

    thanks both :)

  • ok - sorry for my ignorance here… its really starting to show!

    I created the CSR, went back into pfsense and signed it with my intermedite CA.  I didnt add any key info as I figured the Int. CA would have this itself.

    Thats now done and sitting in Pfsense.

    Going back to the switch what do I change?  its still saying its using no certificates?  see image....

    I'm utterly lost with the stupid thing!

    ![Screen Shot 2017-12-28 at 19.43.39.png](/public/imported_attachments/1/Screen Shot 2017-12-28 at 19.43.39.png)
    ![Screen Shot 2017-12-28 at 19.43.39.png_thumb](/public/imported_attachments/1/Screen Shot 2017-12-28 at 19.43.39.png_thumb)

  • I take that back!

    The browser (Chrome) is still showing the red 'Not Secure' warning.

    but clicking into the certificate it is valid with a green tick :)

    Why would the browser not be green?  Other servers Ive got running are !

    So odd!

  • hmmmmm so its green when i use the IP address, not when i use the hostname….

    I feel like I'm making progress!

  • LAYER 8 Netgate

    Did you put the hostname in the CN? Or in a SAN?

    The browser needs the CN and/or a SAN to match what it is told to connect to or it will throw an error.

  • LAYER 8 Global Moderator

    The switch prob stupid and just put in whatever IP it has for the CN.. If it does not allow you to edit those - then when you sign the CSR in pfsense the the fqdn you want to use or multiples etc.. as FQDN sans and IP SANS for any IPs you might use to access the switch.

  • ;D  finally!!!

    That only took the entire day…. as you thought I'd not put all DNS options into the certificate.

    So.... I deleted the lot, from pfsense and the switch and started all over again.  Then it all worked fine, even the switch played nicely for some unknown reason.

    So I'll quit while I'm ahead and grab a beer!

    Thanks to you both for helping me!  Derelict, you're a star!

    If anyone else has the same issues - this is how I did ( well how Derelict instructed me :) )

    1. use pfsense cert manager to create a new sever certificate.... make sure to include the FQDN, hostname, IP address and any other way you'll access the web gui in the certificate


    Taken from Derelects post....

    Diagnostics > Edit File

    Put /tmp/switch.key in the path and paste the private key in the main text window, with the begin and end lines included, and save.

    Then Diagnostics > Command Prompt

    Execute this shell command:

    openssl rsa -in /tmp/switch.key -RSAPublicKey_out

    Try using that output (don't copy that first "writing" line) in the public key field.

    3. then save the p12 file from pfsense somwhere onto your machine - im not sure it matters where.  Then in Terminal   I navigated to the folder I'd saved that p12 file in and ran the following command openssl pkcs12 -in pfsensefile.p12 -nocerts -out private.key .  I hit enter on the first password/import prompt and entered my own password in the second

    4.  in the same terminal window run the following openssl rsa -in private.key -out privateRSA.key   use the password you entered in step 3.


    5. go into the switch and in the Import Certificates section paste the certificate data from the pfsense .cert file into the certificate box.  Put the output of step 2 into the Public key box and the output of step 4 found in the privateRSA.key file into the Private key box

    6. Hit apply and cross your fingers!

    Thanks again to Derelict and johnpoz, couldn't have done it without you!!!

  • LAYER 8 Global Moderator

    Signing the CSR would of been much easier… That is for sure...

  • LAYER 8 Netgate

    Yeah, and there's an export private key so not sure why you dorked with extracting the key from the pkcs12 bundle but glad it's working. :)

  • I was halfway though that when I noticed that accessing the gui via the IP gave a green url bar.

    AS I couldn't really tell if I'd signed things properly - the switch was hardly forthcoming with info I checked the certificate the browser was seeing.

    It turned out to be the one I'd created at the outset of the process… so felt I'd give that one final go starting fresh before going down the signing route.

    (which i think would have been easiest all along lol)

    Thanks again :)

  • @Derelict:

    Yeah, and there's an export private key so not sure why you dorked with extracting the key from the pkcs12 bundle but glad it's working. :)

    Pass…. Something about seeing the wood for the trees comes to mind, that and not really knowing what I'm doing!  ::)

  • sorry guys, can someone summarize the idiot proof version of these instructions please.

    • i have created Root CA and Sub-Root CA
    • I have created Server Certificates with the Sub-Root CA
    • i have successfully set these up with openwrt & freenas devices
    • i am struggling to get them working on my two netgear switches.

Log in to reply