Import certificate - ERROR: Import custom CA fail

ihr

Hi, I just received today an XMG1915. I configured almost everything but can't import custom certificate.
We run our own CA and all our services in our lab are using certificates issued by our own CA so they are trusted by our browsers in the company because the CA-Certificate is distributed to all computers.

I've generated a standard PKCS12 as indicated including the certificate, and the intermediate certificate. I've tested with 8192 bits RSA key pairs and 2048 RSA key pairs with sha512 and sha256 signatures and all fail with the same error message. There is nowhere information about the reason the certificate is rejected or not imported.

We need additional information about how to generate a valid PKCS12 suitable for your hardware and the limitations in the certificates. The signature algorithms supported, or, at least, an example of a success certificate creation and import process so we can figure out what's going on.

Thank you for your attention,

Regards

Ignacio

Zyxel_Tina

Hi @ihr,

Welcome to the Zyxel Community!

We can confirm that 2048-bit RSA key pairs with SHA-256/SHA-512 should be supported on this device, so we'd like to investigate further.

Could you help us with the following?

1. Generate a new PKCS12 certificate using the same setup, and set the password to 1234, then share the file with us via private message so we can test on our end.
2. Please share the firmware version currently running on your XMG1915.

Thank you for your cooperation!

ihr

Thank you for jumping in. You should have it in your inbox.

ihr

FYI. Here is the process to generate the p12:

Requirements:

• Digital certificate (2048 bits) (in this case it is swpapa.pem)
• Private key (in this case it is private.key)
• Intermediate ca certificate (in my case this is 8192 bits RSA and file name is ServersCA.pem)
• Password is written in a file named p12pass.txt

Command to execute:

openssl pkcs12 -export -out swpapa.p12 -inkey private.key -in swpapa.pem -certfile ServersCA.pem -passout file:p12pass.txt

This generates the output swpapa.p12

Zyxel_Tina

Hi @ihr,

Sorry for the late reply!

After investigation, the switch does not support importing PKCS#12 files that certificates issued by a Certificate authority (including intermediate CA) may fail to be imported.

As a workaround, we recommend using a self-signed certificate for the switch.

Additionally, to help our team evaluate this as a future feature request, could you please share more details about:

• Your CA deployment scenario and application
• The number of switches in your environment
• Which CA/vendor your certificate is issued from

This information will help us better understand your requirements and assess potential improvements.

Thank you for your patience and cooperation!