Certificate manager and generating public keys
-
I ran into a sim problem with the sg300 switch.. Public key is normally part of the cert.. That they want it on its own is pretty much nonsense.. Just create a csr and have your cert manager sign it.. You can add whatever SAN you want to add when you sign it with the cert manager..
See this thread about using cert manager and other devices.
https://forum.pfsense.org/index.php?topic=141496.0 -
Click the export key button on the certificate in the Certificate Manager. Use that as /tmp/switch.key.
You have to derive the public key from the same private key that generated the modulus that was signed in the certificate. That is also what gets pasted into the switch private key field.
Given that the exported format there is PRIVATE KEY not RSA PRIVATE KEY I would try -pubout first then -RSAPublicKey_out if that does not work.
Yeah, John, since the public key can be derived from the private key, making the user jump through this hoop is asinine.
Only increases my disdain for Netgear and every product they make. I despise the brand in its entirety.
Yeah - or generate a CSR and sign that.
-
Its worse than that Derelict the public key is actually part of the CERT.. There is no reason at all to post it on its own..
openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
So really have no idea why they go through such nonsense.. There is no need to post the public key extra.. All that is need for the server to be able to use that cert is the cert file and the key file.. And the CA that they can hand out in the chain, etc.
I went through a bunch of nonsense in the latest beta of the sg300 firmware wanting specific format and key length issues, etc.. Just create the CSR on the switch, it was listed there in his screen shot. Sign it and add whatever SAN you want. Since pretty sure their csr will be very limited and only have CN.. When most browsers these days will balk unless there is a SAN matching the CN as well, etc.
-
what a loathesome piece of equipment…. I've done everything right to import the certificates, all fresh from the psfsene files and its still saying "incostistent value" what ever that means!
I'll try the signing root now and see if I have any more luck!
thanks both :)
-
ok - sorry for my ignorance here… its really starting to show!
I created the CSR, went back into pfsense and signed it with my intermedite CA. I didnt add any key info as I figured the Int. CA would have this itself.
Thats now done and sitting in Pfsense.
Going back to the switch what do I change? its still saying its using no certificates? see image....
I'm utterly lost with the stupid thing!
 -
I take that back!
The browser (Chrome) is still showing the red 'Not Secure' warning.
but clicking into the certificate it is valid with a green tick :)
Why would the browser not be green? Other servers Ive got running are !
So odd!
-
hmmmmm so its green when i use the IP address, not when i use the hostname….
I feel like I'm making progress!
-
Did you put the hostname in the CN? Or in a SAN?
The browser needs the CN and/or a SAN to match what it is told to connect to or it will throw an error.
-
The switch prob stupid and just put in whatever IP it has for the CN.. If it does not allow you to edit those - then when you sign the CSR in pfsense the the fqdn you want to use or multiples etc.. as FQDN sans and IP SANS for any IPs you might use to access the switch.
-
;D finally!!!
That only took the entire day…. as you thought I'd not put all DNS options into the certificate.
So.... I deleted the lot, from pfsense and the switch and started all over again. Then it all worked fine, even the switch played nicely for some unknown reason.
So I'll quit while I'm ahead and grab a beer!
Thanks to you both for helping me! Derelict, you're a star!
If anyone else has the same issues - this is how I did ( well how Derelict instructed me :) )
1. use pfsense cert manager to create a new sever certificate.... make sure to include the FQDN, hostname, IP address and any other way you'll access the web gui in the certificate
2.
Taken from Derelects post....
Diagnostics > Edit File
Put /tmp/switch.key in the path and paste the private key in the main text window, with the begin and end lines included, and save.
Then Diagnostics > Command Prompt
Execute this shell command:
openssl rsa -in /tmp/switch.key -RSAPublicKey_out
Try using that output (don't copy that first "writing" line) in the public key field.
3. then save the p12 file from pfsense somwhere onto your machine - im not sure it matters where. Then in Terminal I navigated to the folder I'd saved that p12 file in and ran the following command openssl pkcs12 -in pfsensefile.p12 -nocerts -out private.key . I hit enter on the first password/import prompt and entered my own password in the second
4. in the same terminal window run the following openssl rsa -in private.key -out privateRSA.key use the password you entered in step 3.
Then…..
5. go into the switch and in the Import Certificates section paste the certificate data from the pfsense .cert file into the certificate box. Put the output of step 2 into the Public key box and the output of step 4 found in the privateRSA.key file into the Private key box
6. Hit apply and cross your fingers!
Thanks again to Derelict and johnpoz, couldn't have done it without you!!!
-
Signing the CSR would of been much easier… That is for sure...
-
Yeah, and there's an export private key so not sure why you dorked with extracting the key from the pkcs12 bundle but glad it's working. :)
-
I was halfway though that when I noticed that accessing the gui via the IP gave a green url bar.
AS I couldn't really tell if I'd signed things properly - the switch was hardly forthcoming with info I checked the certificate the browser was seeing.
It turned out to be the one I'd created at the outset of the process… so felt I'd give that one final go starting fresh before going down the signing route.
(which i think would have been easiest all along lol)
Thanks again :)
-
Yeah, and there's an export private key so not sure why you dorked with extracting the key from the pkcs12 bundle but glad it's working. :)
Pass…. Something about seeing the wood for the trees comes to mind, that and not really knowing what I'm doing! ::)
-
sorry guys, can someone summarize the idiot proof version of these instructions please.
- i have created Root CA and Sub-Root CA
- I have created Server Certificates with the Sub-Root CA
- i have successfully set these up with openwrt & freenas devices
- i am struggling to get them working on my two netgear switches.
-
@gwaitsi as I had to do this again, and completely forgot how I did this last time, here are the instructions for 2021.
-
Save the device cert & key generated in pfsense locally
-
rename the device.crt to root.pem
-
convert the private key to rsa private key
openssl rsa -in device.key -out device_rsa.key -
create a file called ssl_key.pem
a) copy the contents of device.crt into this file from
-----BEGIN CERTIFICATE-----
MIIE2jCCA8KgAwIBAgIBHjAN.......
i1M5xmyTK0cyhwQ==
-----END CERTIFICATE-----
b) copy the contents of device_rsa.key into this file below the certificate from
-----BEGIN RSA PRIVATE KEY-----
MIIE.....
ZBjv7j74PS4P7I=
-----END RSA PRIVATE KEY----- -
From the netgear switch "Maintenance", "Update", "HTTP Firmware/File Update" select
- "X.509 Public Certificate PEM" and load the root.pem
- "X.509 Certificate Private Key PEM" and load the ssl_key.pem
-
From the netgear switch "Security", "Access", "HTTPS", "Admin Mode" - Enable.
-
