Own certificate on GS1920 or GS1900-10HP
I have 2 GS1920-24 switches and one GS1900-10HP. I would like to install own certificates on these as HTS is enabled on the domain under which these switches reside. How can I install my own certificates so I don't get locked out as the default self signed certificates are not accepted?
Thanks
Louis
Thanks
Louis
0
Comments
-
Hi @elag,
Welcome to Zyxel community!
For current design, our switch doesn't support to install certificate on it.
Why do you need to install your certificate on the switch? Did you already got locked out because of the switches?
May you also explain HTS in full name?
Thanks.Jason0 -
Normally, an untrusted certificate just causes an additionally dialogue when accessing with HTTPS.
Below is an example from Google Chrome:
You can still access the device by clicking the "Proceed to X.X.X.X (unsafe)".
Were you able to create a network policy that forces clients to only HTTPS access trusted certificates?0 -
Re. HSTS: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security (sorry I made a typo in my original mail).
An excerpt from that page:When a web application issues HSTS Policy to user agents, conformant user agents behave as follows:[11]
- Automatically turn any insecure links referencing the web application into secure links. (For instance, http://example.com/some/page/ will be modified to https://example.com/some/page/ before accessing the server.)
- If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted), show an error message and do not allow the user to access the web application.[12]
I have enabled this on my web server (https://www.fazant.net) that also reacts on https://fazant.net.
This actually results in hsts being applied to all hosts and subdomains under fazant.net.
I accessed my fazant.net domain using https once.
So if I now try to access my switches over https, firefox denies me access without the possibility for the override (as secure https is required for the whole domain, so no self signed certificates as per 2 above).
Http access to anything under the fazant.net domain is automatically mapped to https, again without override (as per 1 above).
This could easily be remedied when I could load own certificates on the switches (which is more reliable anyhow).
Is the option for adding certificates planned for the firmware of these switches? Not being able to use proper signed certificates should be possible on professional gear...
0 -
Hi @elag,
The picture below is my local test in my office to use Firefox accessing GS1920 via HTTPS:
You may follow step 1 and 2 to add the exception in your Firefox browser.
I have found the page about the error message for you: https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean
An excerpt from the page:
"Self-signed certificates make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly and you may bypass the warning for such sites."
May you add exception in your Firefox browser to let you access the switch under your fazant.net domain?
Jason0 -
Yes, I did add exceptions for the switches in the browser. That works fine and I can contact the switches.
But as soon as I visit the website via the main domain of where the switches are located, the browser ignores the exception and simply denies me access. Only when I manually remove the HTS setting for the domain (for firefox in SiteSecurityServiceState.txt in the default profile) the browser allows access again. So I know how to get access by hacking the firefox profile outside the browser. I can probably find some other hacks to completely disable hsts, but I am not happy having to disable security features in the browser.
I have for now removed the directive to include subdomains from the server settings on the main domain. That should solve it for now. Having the possibility to use own certificates on the switches remains my only wish for the zyxel switches.
Thanks for your interest
Louis
0 -
Hi @elag,
I will open a new discussion in the Idea section.
The new feature for importing own certificate in Zyxel switch will be in our future route map.
One more thing I need to tell you, this feature will be added in Zyxel switch except GS1900 because it is an entry level managed switch.
Hope it helps.Jason0 -
Thanks for doing this Jason, much appreciated. I understand the limitation for the GS9100
This certainly helps!
0 -
Hi, will this happen any time soon?0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight