Can't import self-signed certificate to GS1920-24V2 (FW 4.80, ABMH.0)
Hi,
I have a problem to import a self-signed certificate to my switch. I've tried it with a self-signed PKCS#12 file generated from opnsense. File extension is .p12. Then I've tried it with a compiled version from openssl under windows with bothe extensions .p12 or .pfx with and without a password. Whenever I want to import the file nothing happens and after a few seconds there is a white screen, telling me that my switch hasn't send any data? I've tried it with chrome, firefox and Edge on two different windows computer and with my android handy. The result is always the same even though the screen that apperas after pressing the button is sometimes white and sometimes black. There is another posting here that belongs to a similiar problem with a 1930 switch. So I've tried to ping the switch after pressing the button and in my case I can ping the switch.
Any idea what I have to do?
Kind Regards
Accepted Solution
-
Meanwhile my problem is solved. It seems to be that the filesize of the certificate-P12-file that was directly generated and downloaded from the internal certificate authority in OPNsense was too big and therefore the certificate couldn't be imported. I had to download the CRT-File and the key-File separately and then generate the p12 with an OPENSSL-Installation. The resulting file was ca. 20% smaller than the file that was generated by OPNsense and could be imported without any problem. Now I can access my switch via https.
Thanks a lot for your help
1
All Replies
-
Hi @Schnuffel2000,
Thanks for bringing this to our attention.
Could you provide me with your certificate (with password) and how you generate this certificate via private message? I will help to check your problem.
0 -
Hi @Schnuffel2000,
Thanks for the certificate files.
I try the OpenSSL.p12 was success. But the Opensense.p12 failed, I think this might be due to the file size is larger than 5 kB.
Could you help to confirm if the subject has changed to your domain when you import OpenSSL.p12?
0 -
Meanwhile my problem is solved. It seems to be that the filesize of the certificate-P12-file that was directly generated and downloaded from the internal certificate authority in OPNsense was too big and therefore the certificate couldn't be imported. I had to download the CRT-File and the key-File separately and then generate the p12 with an OPENSSL-Installation. The resulting file was ca. 20% smaller than the file that was generated by OPNsense and could be imported without any problem. Now I can access my switch via https.
Thanks a lot for your help
1 -
Hi Melen,
it is the way you say. The import of the OPENSSL-Version .p12 works for me too.
0 -
Hi @Schnuffel2000,
It's happy to hear it works.
Furthermore, we will fix the certificate cannot be larger than 5 KB in future official firmware release.
0 -
Hi
I have done a little bit more testing now, and it seems to be, that the problem is not the size. I used a rsa key type with 4096 bit key length and that gave me the 7kb P12-file with Opnsense and the 5 kb file with openssl. When I installed the openssl file the cetrificate works, but it took really long to load the login screen. So I lowered the key length to 2048 ( i fairly believe this is really enough for a home system that is not exposed to public). Now the login screen appears much faster and I am happy with the result. This lowered the filesize with openssl to 3,08kb. So I've tried it again with opnsense directly with 2048 bit and this end me up eith a file size of 4,75kb which is nearly exactly the same as the former 4096 bit file from openssl (4,49kb). But the opensense file still fails on importing it. So there must be another problem. I posted this in the opnsense forum too. Maybe they have an idea. I have no other server that uses a p12 file. They use the seperated crt file and key file or like my fritzbox they use a pem-file. So the only thing I can say is that the p12-file generated from Opnsense worked for the fritzbox, when I download it and converted it with openssl to a pem-file. But I can't proof if the original p12 file works in other servers and that the problem belongs to the switch. Maybe it belongs to the opnsense-file...
0 -
Hi @Schnuffel2000,
Apologize for the delay.
Could you also send the new opnsense certificate for me to verify?
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight