Import certificate - ERROR: Import custom CA fail
Freshman Member
Hi, I just received today an XMG1915. I configured almost everything but can't import custom certificate.
We run our own CA and all our services in our lab are using certificates issued by our own CA so they are trusted by our browsers in the company because the CA-Certificate is distributed to all computers.
I've generated a standard PKCS12 as indicated including the certificate, and the intermediate certificate. I've tested with 8192 bits RSA key pairs and 2048 RSA key pairs with sha512 and sha256 signatures and all fail with the same error message. There is nowhere information about the reason the certificate is rejected or not imported.
We need additional information about how to generate a valid PKCS12 suitable for your hardware and the limitations in the certificates. The signature algorithms supported, or, at least, an example of a success certificate creation and import process so we can figure out what's going on.
Thank you for your attention,
Regards
Ignacio
All Replies
-
Hi @ihr,
Welcome to the Zyxel Community!
We can confirm that 2048-bit RSA key pairs with SHA-256/SHA-512 should be supported on this device, so we'd like to investigate further.
Could you help us with the following?
- Generate a new PKCS12 certificate using the same setup, and set the password to 1234, then share the file with us via private message so we can test on our end.
- Please share the firmware version currently running on your XMG1915.
Thank you for your cooperation!
Zyxel Tina
0 -
Thank you for jumping in. You should have it in your inbox.
0 -
FYI. Here is the process to generate the p12:
Requirements:- Digital certificate (2048 bits) (in this case it is
swpapa.pem) - Private key (in this case it is
private.key) - Intermediate ca certificate (in my case this is 8192 bits RSA and file name is
ServersCA.pem) - Password is written in a file named
p12pass.txt
Command to execute:
openssl pkcs12 -export -out swpapa.p12 -inkey private.key -in swpapa.pem -certfile ServersCA.pem -passout file:p12pass.txtThis generates the output
swpapa.p120 - Digital certificate (2048 bits) (in this case it is
-
Hi @ihr,
Sorry for the late reply!
After checking your certificate, we found that it is issued by a CA with an intermediate certificate in the chain.
Currently, the switch only supports self-signed certificates and does not support importing CA-signed certificates (including intermediate CA chains). Therefore, your certificate cannot be applied on the device at this time.
As a workaround, we recommend using a self-signed certificate for the switch.
Additionally, to help our team evaluate this as a future feature request, could you please share more details about:
- Your CA deployment scenario and application
- The number of switches in your environment
- Which CA/vendor your certificate is issued from
This information will help us better understand your requirements and assess potential improvements.
Thank you for your patience and cooperation!
Zyxel Tina
0 -
Hi Tina, sorry for the late response.
We are a software development company, and we have a development environment hosted locally. In our development environment we test not only our software but also what is the real production environment. So, we have our own CA (with self signed certificate) and we have intermediate certificate for all hardware we install. We have separate intermediate CA for users, services, and hardware. Then, we issue certificates for the elements we need.
About the number of switches, we have 12 in our environment from different brands including Cisco, Netgear, Fortinet, Aruba etc.
In the case of Netgear, for example, we install OpenWRT because of their limitations with the CA certificates.
Hopefully, this will be also the case for your device as it lacks of support of them.
We don't purchase certificates for our development environment. Only for the production environment. We maintain a local CA in order to issue certificates for all of our infrastructure.
Regards
Ignacio
0 -
Hi @ihr,
Thank you for your feedback!
I've forwarded this request to our related development team and created an idea post for better tracking during evaluation of this feature. Please don’t forget to give it a vote if you also like this request.
Zyxel Tina
0
Zyxel Employee
Categories
- All Categories
- 442 Beta Program
- 3K Nebula
- 223 Nebula Ideas
- 129 Nebula Status and Incidents
- 6.6K Security
- 637 USG FLEX H Series
- 357 Security Ideas
- 1.8K Switch
- 86 Switch Ideas
- 1.4K Wireless
- 54 Wireless Ideas
- 7K Consumer Product
- 301 Service & License
- 494 News and Release
- 93 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.8K FAQ
- 34 Documents
- 88 About Community
- 109 Security Highlight
