Can't import certificates into XMG3927-B50A

kmr1962
kmr1962 Posts: 6  Freshman Member
in Smart Home Product
Hi
I am having problems importing a custom CA and Local certificates into the XMG3927-B50A
When I select Import Certificate and choose the file to import the web interface just displays the "Working" animation but never comes back.

Can anyone provide any assistance/help/guidance please

Accepted Solution

  • kmr1962
    kmr1962 Posts: 6  Freshman Member
    Answer ✓
    For info

    I have identified the issue
    I have changed the IP address of the router and the web interface tries to upload the certificate to the default address (192.168.1.1) so fails

    Reverting the address to 192.168.1.1 allows the certificates to be uploaded.

All Replies

  • zelgit
    zelgit Posts: 9  Freshman Member
    First Comment Friend Collector Fourth Anniversary
    Maybe this official (?) Zyxel guide will help you. Look at the steps under "Use Custom Signed Certificate":
    https://mysupport.zyxel.com/hc/en-us/articles/360006916979--NSA-NAS-How-to-fix-certificate-error-on-browser-when-accessing-NAS-WebUI
  • kmr1962
    kmr1962 Posts: 6  Freshman Member
    zelgit

    Thanks for responding
    Unfortunately the process for uploading the certificates to the XMG3927-B50A is very different.
    I believe that the issue is that the web interface is not actually even attempting to upload the certificate (ie the web interface is broken)

    But additionally, I think that uploading the certificate would be in vane anyway as there also doesn't appear to be any way of setting the HTTPS web interface to use a custom certificate anyway, which is what I wanted to do.
  • zelgit
    zelgit Posts: 9  Freshman Member
    First Comment Friend Collector Fourth Anniversary
    Oh I'm sorry bro, I totally missed that it was another product than a NAS. I see, but I'm not sure what to do in your situation. Maybe this official guide might be of interest to you:
    https://support.zyxel.eu/hc/en-us/articles/360010685980-Import-a-Lets-Encrypt-certificate-to-the-USG

    If not then I wish you the best, God bless.
  • tonygibbs16
    tonygibbs16 Posts: 945  Guru Member
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    edited January 2021
    Hello @kmr1962

    Is the local certificate you are trying to import signed by the Trusted CA you are trying to import?

    If yes, then according to the user guide at ftp://ftp.zyxel.com/XMG3927-B50A/user_guide/ section 22.4 then you just need to add the CA certificate and the router will then trust any certificates signed by it.

    You can only add 4 CA to the router according to the user guide.

    Is the "Working" hangup occuring when you try to add the CA certificate to the Trusted CA list or when you try to add the Local Certificate?

    Merry Christmas and Happy New Year.

    Tony
  • kmr1962
    kmr1962 Posts: 6  Freshman Member
    @tonygibbs16

    Thanks for your reply
    Unfortunately the import "hangs" when importing either the Trusted CA or Local Certificate
    It looks as if there s no communication between the browser and the router after initiating the upload of either certificate.

    I have tried this with the PC's Virus/Malware scanner disabled as well in case the issue was at the PC end.

    When I get a chance I will have a look at the communication with wireshark and/or fiddler to see if I can see any issue with the communication.
  • tonygibbs16
    tonygibbs16 Posts: 945  Guru Member
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    Hello @kmr1962

    You're welcome.

    It might be worth checking the file formats of the certificates as well. The local certificate with private key has to be in a PEM format file.

    The CA certificates have to be in one of the following file formats:
    • Binary X.509
    • PEM (base 64) encoded.
    • Binary PKCS#7
    • PEM (base 64) encoded PKCS#7
    Merry Christmas and Happy New Year.

    Tony
  • kmr1962
    kmr1962 Posts: 6  Freshman Member
    @tonygibbs16
    Just for info, I have tried all 4 formats
    As well as CA certificates (Such as the Verisign Universal Root CA) exported from Windows 10

    A Happy New Year to you too.
    Kevin
  • tonygibbs16
    tonygibbs16 Posts: 945  Guru Member
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    edited December 2020
    Thanks Kevin @kmr1962

    Just for completeness, what firmware is your router running?

    The latest in ftp://ftp.zyxel.com/XMG3927-B50A/firmware/ is 5.13(ABMT.0)C0 from early 2019.
        - the release notes do not mention certificate issues.

    So maybe Wireshark will show up something.

    Merry Christmas and Happy New Year.

    Tony
  • kmr1962
    kmr1962 Posts: 6  Freshman Member
    That is the firmware I am running - "5.13(ABMT.0)C0"
  • kmr1962
    kmr1962 Posts: 6  Freshman Member
    Answer ✓
    For info

    I have identified the issue
    I have changed the IP address of the router and the web interface tries to upload the certificate to the default address (192.168.1.1) so fails

    Reverting the address to 192.168.1.1 allows the certificates to be uploaded.

Categories

Consumer Product Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)