Adding an SSL certificate for Cisco SG series switches

This has been beating me over the head for ages, so now that I finally made it work, I decided I best share it with the masses to hopefully help others who’ve similarly had issues.

I own and use a Cisco SG200-26 switch at home.  A bit of overkill for a home network, but it works great and I love the functionality it gives me.  However, when accessing the switch to do any sort of configuration, I was always annoyed by the certificate errors when accessing it via HTTPS.  No matter how I tried to get a valid certificate on there, I kept getting errors.  After much researching and desk head banging I finally found a way to get a signed SHA2 cert to install using OpenSSL.

If you have your own CA, hopefully this will help you get your certificate to work.  Otherwise, you should be able to use your CA of choice.  (Edit: references to previously recommended CA removed.)

First, forget using the CSR generated by the switch.  The CA I used won’t accept it and I gave up on trying to figure out what was wrong with the format.  Use OpenSSL to generate your own key and a CSR for the switch.

(Edit: you HAVE to use a 2048 bit key. A 4096 bit key won’t paste into the web interface.)

$ openssl req -new -sha256 -newkey rsa:2048 -nodes -out yourdomain.csr -keyout yourdomain.key -subj "/C=[Insert country here]/ST=[Insert state here]/L=[Insert city here]/O=example.com/CN=yourserver.example.com"

Log in, use the CSR and get your shiny new certificate.  Save it to your PC.

Now you’ve got to format the private key to match what Cisco is looking for on the switch.  If you look at the key generated it starts out something like this:

-----BEGIN PRIVATE KEY-----
MI...
(a whole bunch of text)
...M=
-----END PRIVATE KEY-----

Cisco won’t take it.  You’ve got to convert it to PEM.  So do this:

$ openssl rsa -in yourdomain.key -outform pem > yourdomain.pem
writing RSA key

Take a look at your new key, and now you’ll see this:

-----BEGIN RSA PRIVATE KEY-----
MI...
(a whole bunch of text that looks different)
...7D
-----END RSA PRIVATE KEY-----

THIS private key will work.  Now you need your public key.  So do this:

$ openssl rsa -in yourdomain.pem -pubout > yourdomain.pub
writing RSA key

So now you have your shiny public key ready to go:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9Z
iWn63D9K2iNNAR/FSnP+tjyhp+6bHRQOs8FyQLOfiBZR8DW72aqrbFD7cUYgX0Iv
JgpdjWLSxJXi/hbi9rDQFMHAe3qqPn104CaDfxnv7hOfR3+ct9sdCAB/ChoIVCEp
GCn9dRwlEVi1DZ8sN5tVH0/wwqW7MfxPdPuyfqjc/ZoPobVUtq/ovyQi1IaMUFKV
dlXlJ9XQcpZDz6pwEb4ji3E2fMA1gMcO38hX7BV0S0xrTqAB++9gP3MMCu4ZlKFh
ei9q4E1M6psTWnYIgNOo5NMk7tJP1O0Cc6REOV7bft8y0TqZ4qsza+K1Ow6GgYEL
vwIDAQAB
-----END PUBLIC KEY-----

However – and I know this is crap – this public key won’t work either.  I give all the credit to this guy who spelled out the reasoning and how to fix this.  It’s really very simple.  You delete the first 32 characters and add “RSA” in front of public.

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A  <-- 1st 32 characters to delete
MIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9Z
iWn63D9K2iNNAR/FSnP+tjyhp+6bHRQOs8FyQLOfiBZR8DW72aqrbFD7cUYgX0Iv
JgpdjWLSxJXi/hbi9rDQFMHAe3qqPn104CaDfxnv7hOfR3+ct9sdCAB/ChoIVCEp
GCn9dRwlEVi1DZ8sN5tVH0/wwqW7MfxPdPuyfqjc/ZoPobVUtq/ovyQi1IaMUFKV
dlXlJ9XQcpZDz6pwEb4ji3E2fMA1gMcO38hX7BV0S0xrTqAB++9gP3MMCu4ZlKFh
ei9q4E1M6psTWnYIgNOo5NMk7tJP1O0Cc6REOV7bft8y0TqZ4qsza+K1Ow6GgYEL
vwIDAQAB
-----END PUBLIC KEY-----

-----BEGIN RSA PUBLIC KEY-----  <-- RSA added
MIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9Z
iWn63D9K2iNNAR/FSnP+tjyhp+6bHRQOs8FyQLOfiBZR8DW72aqrbFD7cUYgX0Iv
JgpdjWLSxJXi/hbi9rDQFMHAe3qqPn104CaDfxnv7hOfR3+ct9sdCAB/ChoIVCEp
GCn9dRwlEVi1DZ8sN5tVH0/wwqW7MfxPdPuyfqjc/ZoPobVUtq/ovyQi1IaMUFKV
dlXlJ9XQcpZDz6pwEb4ji3E2fMA1gMcO38hX7BV0S0xrTqAB++9gP3MMCu4ZlKFh
ei9q4E1M6psTWnYIgNOo5NMk7tJP1O0Cc6REOV7bft8y0TqZ4qsza+K1Ow6GgYEL
vwIDAQAB
-----END RSA PUBLIC KEY-----  <-- RSA added

-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9ZiWn63D9K2iNNAR/FSnP+tjyhp+6bHRQO
s8FyQLOfiBZR8DW72aqrbFD7cUYgX0IvJgpdjWLSxJXi/hbi9rDQFMHAe3qqPn10
4CaDfxnv7hOfR3+ct9sdCAB/ChoIVCEpGCn9dRwlEVi1DZ8sN5tVH0/wwqW7MfxP
dPuyfqjc/ZoPobVUtq/ovyQi1IaMUFKVdlXlJ9XQcpZDz6pwEb4ji3E2fMA1gMcO
38hX7BV0S0xrTqAB++9gP3MMCu4ZlKFhei9q4E1M6psTWnYIgNOo5NMk7tJP1O0C
c6REOV7bft8y0TqZ4qsza+K1Ow6GgYELvwIDAQAB
-----END RSA PUBLIC KEY-----

The final product!  I went ahead and reformatted mine so that the length of each line was consistent.  I didn’t know how picky the switch was going to be when I imported it, so I figured why bother chancing it.

ANYWAY, now you’re ready to go into your switch settings and import your certificate and your keys!

Cisco SG200-26 Configuration

To add the cert, go under Security, then SSL Server, then SSL Server Authentication Settings.  This will pop up where you can insert your certificate into one of two places.  (You can already see mine!)  Click a check box for the one you want to replace, then click “Import Certificate…”

Cisco SG200-26 SSL Certificate Import

Enable Import RSA Key-Pair, then click the radio button next to Plaintext for your Private Key (since that’s how it’s stored).  Copy and paste your certificate (the one thing you didn’t have to mess with!) and the public and private keys that we made.  Click Apply.  Now click the radio button next to the number of the certificate slot you used where it says “SSL Active Certificate Number”.  Save your config.  DONE.  Now you’re secured, no more annoying messages, everyone’s happy.

I hope that someone finds this helpful!  Thanks Cisco for making such easy to work with gear! /sarcasm