Import certificate - ERROR: Import custom CA fail

Options
ihr
ihr Posts: 4 image  Freshman Member
First Comment
in Switch

Hi, I just received today an XMG1915. I configured almost everything but can't import custom certificate.
We run our own CA and all our services in our lab are using certificates issued by our own CA so they are trusted by our browsers in the company because the CA-Certificate is distributed to all computers.

I've generated a standard PKCS12 as indicated including the certificate, and the intermediate certificate. I've tested with 8192 bits RSA key pairs and 2048 RSA key pairs with sha512 and sha256 signatures and all fail with the same error message. There is nowhere information about the reason the certificate is rejected or not imported.

We need additional information about how to generate a valid PKCS12 suitable for your hardware and the limitations in the certificates. The signature algorithms supported, or, at least, an example of a success certificate creation and import process so we can figure out what's going on.

Thank you for your attention,

Regards

Ignacio

All Replies

  • Zyxel_Tina
    Zyxel_Tina Posts: 729 image  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch 100 Answers 500 Comments
    edited March 24

    Hi @ihr,

    Welcome to the Zyxel Community!

    We can confirm that 2048-bit RSA key pairs with SHA-256/SHA-512 should be supported on this device, so we'd like to investigate further.

    Could you help us with the following?

    1. Generate a new PKCS12 certificate using the same setup, and set the password to 1234, then share the file with us via private message so we can test on our end.
    2. Please share the firmware version currently running on your XMG1915.

    Thank you for your cooperation!

    Zyxel Tina

  • ihr
    ihr Posts: 4 image  Freshman Member
    First Comment

    Thank you for jumping in. You should have it in your inbox.

  • ihr
    ihr Posts: 4 image  Freshman Member
    First Comment

    FYI. Here is the process to generate the p12:

    Requirements:

    • Digital certificate (2048 bits) (in this case it is swpapa.pem)
    • Private key (in this case it is private.key)
    • Intermediate ca certificate (in my case this is 8192 bits RSA and file name is ServersCA.pem)
    • Password is written in a file named p12pass.txt

    Command to execute:

    openssl pkcs12 -export -out swpapa.p12 -inkey private.key -in swpapa.pem -certfile ServersCA.pem -passout file:p12pass.txt

    This generates the output swpapa.p12

Categories

Switch Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)