Allow Custom HTTPS SSL Certificate Upload for GS1200-8 v3

xyno

TL;DR: While the new HTTPS support in the GS1200-8 v3 is appreciated, the hardcoded self-signed certificate triggers browser warnings and lacks true MitM protection. Please add an option in the WebUI to upload custom SSL certificates (.crt/.key).

​Following up on the announcement regarding HTTPS support being added to the new GS1200-8 v3 (Reference:

https://community.zyxel.com/en/discussion/comment/82468#Comment_82468

), I am writing to submit a follow-up feature request to complete this security implementation.

​While I really appreciate the addition of HTTPS support in the v3 hardware, the current implementation has a significant limitation: it only uses a hardcoded self-signed certificate and lacks an option for users to upload their own custom SSL certificates.

​In practice, this renders the HTTPS feature incomplete for the following reasons:

1. ​Ineffective against MitM Attacks: Without the ability to use a certificate signed by a trusted CA (public or internal), administrators cannot verify the identity of the switch. This defeats the authentication purpose of HTTPS and offers no real protection against Man-in-the-Middle attacks on the local network.

2. ​Poor User Experience: Modern browsers constantly flag the WebUI with red "Not Secure" warnings, requiring manual bypasses every time we log in.

3. ​Incompatibility with Modern LAN Infrastructure: Many prosumers and SMBs manage their own local DNS and valid SSL certificates (e.g., Let's Encrypt or an Internal PKI). The inability to import a .crt/.key pair prevents this switch from integrating seamlessly into existing security architectures.

​Request:

Please consider adding a simple feature in a future firmware update that allows users to upload their own SSL certificate (.crt/.pem) and private key (.key) via the WebUI.

​This small addition would drastically improve the security posture and professional appeal of the GS1200 series. Thank you to the development team for your time and consideration!

Zyxel_Melen

Hi @xyno

To help our team evaluate this, could you please share more details about:

1. Your network topology/scenario. We would like to know where you placed the GS1200 v3.
2. How many GS1200 v3 do you have?

xyno

Hi @Zyxel_Melen

Thank you for getting back to me and for considering this feature request!

To answer your questions:

1. Network Topology & Scenario:

The GS1200 v3 is deployed as an access/edge switch in a HomeLab environment (which mirrors a typical modern SMB setup).

My core network is managed by an OPNsense firewall, which handles routing, VLANs, and also acts as an internal Certificate Authority (CA) / Reverse Proxy (HAProxy). The GS1200 v3 is connected downstream from the firewall and serves as the backbone for:

Virtualization hosts (Proxmox VE)

Wireless Access Points (OpenWrt)

IP Cameras for an NVR system (Frigate)

The core issue: In this environment, I enforce a strict internal HTTPS policy. All management interfaces (Firewall, Hypervisor, APs, NVR) are secured using valid SSL certificates (either via my internal CA or Let's Encrypt wildcard certificates). Because the GS1200 v3 cannot accept a custom certificate, it is the only device on my management VLAN that triggers a browser security warning. Allowing a simple .crt/.key upload would allow the switch to fit perfectly into modern, secure internal networks without breaking the zero-trust / strict SSL policies that many IT pros and enthusiasts deploy today.

2. How many GS1200 v3 do you have:

Currently, I am managing 2 units of the GS1200-8 v3 in this specific setup. However, I often recommend network hardware to peers and clients. A feature like custom SSL certificates would make the GS1200 series the absolute go-to choice for entry-level managed switches, as many competitors in this price range also lack this crucial security feature.

Thank you again for passing this along to the development team! Let me know if you need any more architectural details.