Skip to content

Instantly share code, notes, and snippets.

@tomdaley92

tomdaley92/README.md

Last active June 14, 2022 20:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tomdaley92/518c26379657fe28d8e9522aa032c277 to your computer and use it in GitHub Desktop.
Save tomdaley92/518c26379657fe28d8e9522aa032c277 to your computer and use it in GitHub Desktop.
Download ZIP
Uploading TLS Certificate to Cisco SG 250 Series Switches
Raw
README.md

Uploading TLS Certificate to Cisco SG 250/350 Series Switches

I recently picked up a Cisco SG250-08HP and it would not accept a certificate that I issued for it, using my own Root CA. Even after bootstrapping trust with the CA it still would not work, and the error message was unclear. After a few hours of research and many failed attempts I finally found a replicable way to achieve this. So I hope this might help someone else that runs into this in the future.

TL;DR: RSA key pair must be in pkcs1 format for the Cisco switch to accept it.

To give some additional context, I generated my certificates with Pfsense 2.6.0 at the time of this writing using SHA256 and 2048 bit keys. OpenSSL version used in this guide: OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

  1. Log in to the Switch WebUI and Import your Root CA. This step is straight forward and I didn't have any issues, just paste the contents of the PEM formatted certificate under Security -> Certificate Settings -> Import... I didn't have to import my intermediates either, just the root.

  2. Create/generate a server certificate with key size 2048 (can't use 4096 for key size, it won't fit in the cisco webUI, lol).

    I exported my cert and key file from pfsense. The cert file is good to go, just typical PEM format. I got pkcs8 format for the key however, which was a problem. The Cisco Switch requires pkcs1 (older) format. Basically this means that we need two files in place of the single key file (public/private keys) where the PEM headers must contain the word RSA and the first 32 characters are removed (something like that lol...). Huge thanks to this blog post that really helped shoot my in the right direction.

  3. Now, if you follow the instructions in that blog, when formatting the private key, I noticed that the command did not work and my resulting private key file was the same. I found out that Openssl 3.0 has since changed this behaviour and now requires passing the -traditional flag. This took me hours to figure out haha. Anyways here is how to generate the pkcs1 formatted RSA private key from a pkcs8 key:

    openssl rsa -in your-key.pem -traditional

  4. Here is the command to get the pkcs1 formatted RSA public key to go with it:

    openssl rsa -in your-key.pem -RSAPublicKey_out

  5. Now we should have your certificate file along with pkcs1 formatted RSA public/private key pair for the Cisco Switch. Navigate to Security -> SSL Server -> SSL Server Authentication Settings and select the User Defined certificate entry, either 1 or 2. Click on Import ... and paste just the certificate (again, no intermediates needed/allowed, so just the end-entity, no chains) along with the public/private keys we just formatted

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment