This has been beating me over the head for ages, so now that I finally made it work, I decided I best share it with the masses to hopefully help others who’ve similarly had issues.
I own and use a Cisco SG200-26 switch at home. A bit of overkill for a home network, but it works great and I love the functionality it gives me. However, when accessing the switch to do any sort of configuration, I was always annoyed by the certificate errors when accessing it via HTTPS. No matter how I tried to get a valid certificate on there, I kept getting errors. After much researching and desk head banging I finally found a way to get a signed SHA2 cert to install using OpenSSL.
If you have your own CA, hopefully this will help you get your certificate to work. Otherwise, you should be able to use your CA of choice. (Edit: references to previously recommended CA removed.)
First, forget using the CSR generated by the switch. The CA I used won’t accept it and I gave up on trying to figure out what was wrong with the format. Use OpenSSL to generate your own key and a CSR for the switch.
(Edit: you HAVE to use a 2048 bit key. A 4096 bit key won’t paste into the web interface.)
$ openssl req -new -sha256 -newkey rsa:2048 -nodes -out yourdomain.csr -keyout yourdomain.key -subj "/C=[Insert country here]/ST=[Insert state here]/L=[Insert city here]/O=example.com/CN=yourserver.example.com"
Log in, use the CSR and get your shiny new certificate. Save it to your PC.
Now you’ve got to format the private key to match what Cisco is looking for on the switch. If you look at the key generated it starts out something like this:
-----BEGIN PRIVATE KEY----- MI... (a whole bunch of text) ...M= -----END PRIVATE KEY-----
Cisco won’t take it. You’ve got to convert it to PEM. So do this:
$ openssl rsa -in yourdomain.key -outform pem > yourdomain.pem writing RSA key
Take a look at your new key, and now you’ll see this:
-----BEGIN RSA PRIVATE KEY----- MI... (a whole bunch of text that looks different) ...7D -----END RSA PRIVATE KEY-----
THIS private key will work. Now you need your public key. So do this:
$ openssl rsa -in yourdomain.pem -pubout > yourdomain.pub writing RSA key
So now you have your shiny public key ready to go:
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9Z iWn63D9K2iNNAR/FSnP+tjyhp+6bHRQOs8FyQLOfiBZR8DW72aqrbFD7cUYgX0Iv JgpdjWLSxJXi/hbi9rDQFMHAe3qqPn104CaDfxnv7hOfR3+ct9sdCAB/ChoIVCEp GCn9dRwlEVi1DZ8sN5tVH0/wwqW7MfxPdPuyfqjc/ZoPobVUtq/ovyQi1IaMUFKV dlXlJ9XQcpZDz6pwEb4ji3E2fMA1gMcO38hX7BV0S0xrTqAB++9gP3MMCu4ZlKFh ei9q4E1M6psTWnYIgNOo5NMk7tJP1O0Cc6REOV7bft8y0TqZ4qsza+K1Ow6GgYEL vwIDAQAB -----END PUBLIC KEY-----
However – and I know this is crap – this public key won’t work either. I give all the credit to this guy who spelled out the reasoning and how to fix this. It’s really very simple. You delete the first 32 characters and add “RSA” in front of public.
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A <-- 1st 32 characters to delete MIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9Z iWn63D9K2iNNAR/FSnP+tjyhp+6bHRQOs8FyQLOfiBZR8DW72aqrbFD7cUYgX0Iv JgpdjWLSxJXi/hbi9rDQFMHAe3qqPn104CaDfxnv7hOfR3+ct9sdCAB/ChoIVCEp GCn9dRwlEVi1DZ8sN5tVH0/wwqW7MfxPdPuyfqjc/ZoPobVUtq/ovyQi1IaMUFKV dlXlJ9XQcpZDz6pwEb4ji3E2fMA1gMcO38hX7BV0S0xrTqAB++9gP3MMCu4ZlKFh ei9q4E1M6psTWnYIgNOo5NMk7tJP1O0Cc6REOV7bft8y0TqZ4qsza+K1Ow6GgYEL vwIDAQAB -----END PUBLIC KEY-----
-----BEGIN RSA PUBLIC KEY----- <-- RSA added MIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9Z iWn63D9K2iNNAR/FSnP+tjyhp+6bHRQOs8FyQLOfiBZR8DW72aqrbFD7cUYgX0Iv JgpdjWLSxJXi/hbi9rDQFMHAe3qqPn104CaDfxnv7hOfR3+ct9sdCAB/ChoIVCEp GCn9dRwlEVi1DZ8sN5tVH0/wwqW7MfxPdPuyfqjc/ZoPobVUtq/ovyQi1IaMUFKV dlXlJ9XQcpZDz6pwEb4ji3E2fMA1gMcO38hX7BV0S0xrTqAB++9gP3MMCu4ZlKFh ei9q4E1M6psTWnYIgNOo5NMk7tJP1O0Cc6REOV7bft8y0TqZ4qsza+K1Ow6GgYEL vwIDAQAB -----END RSA PUBLIC KEY----- <-- RSA added
-----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9ZiWn63D9K2iNNAR/FSnP+tjyhp+6bHRQO s8FyQLOfiBZR8DW72aqrbFD7cUYgX0IvJgpdjWLSxJXi/hbi9rDQFMHAe3qqPn10 4CaDfxnv7hOfR3+ct9sdCAB/ChoIVCEpGCn9dRwlEVi1DZ8sN5tVH0/wwqW7MfxP dPuyfqjc/ZoPobVUtq/ovyQi1IaMUFKVdlXlJ9XQcpZDz6pwEb4ji3E2fMA1gMcO 38hX7BV0S0xrTqAB++9gP3MMCu4ZlKFhei9q4E1M6psTWnYIgNOo5NMk7tJP1O0C c6REOV7bft8y0TqZ4qsza+K1Ow6GgYELvwIDAQAB -----END RSA PUBLIC KEY-----
The final product! I went ahead and reformatted mine so that the length of each line was consistent. I didn’t know how picky the switch was going to be when I imported it, so I figured why bother chancing it.
ANYWAY, now you’re ready to go into your switch settings and import your certificate and your keys!
To add the cert, go under Security, then SSL Server, then SSL Server Authentication Settings. This will pop up where you can insert your certificate into one of two places. (You can already see mine!) Click a check box for the one you want to replace, then click “Import Certificate…”
Enable Import RSA Key-Pair, then click the radio button next to Plaintext for your Private Key (since that’s how it’s stored). Copy and paste your certificate (the one thing you didn’t have to mess with!) and the public and private keys that we made. Click Apply. Now click the radio button next to the number of the certificate slot you used where it says “SSL Active Certificate Number”. Save your config. DONE. Now you’re secured, no more annoying messages, everyone’s happy.
I hope that someone finds this helpful! Thanks Cisco for making such easy to work with gear! /sarcasm
This is incredibly shameful behavior by Cisco to make importing an SSL certificate this hard. That company does NOT take security seriously.
Thanks, this helped me. I’ve been frustrated by this for like 2 years!
Glad it helped you sir!
The certificate box doesn’t let me past my whole certificate in. It cuts it off so even after formatting all the keys, I can’t import my cert. I take it this is because my key is 4096bits long.
Ooh, good call. I only tried a 2048 bit key. I guess this is a limitation of the web interface.
Thanks to this post. I have a problem. I gave this error “Inconsistent Value”. I did your instructions step by step moreover but I couldn’t import the certificate. Could you help me please?
At what point did you get the error? Can you document the steps you took and commands you made?
I get “Inconsistent Value” error after I fill the “Certificate”, “Private Key”, “Public Key” and click apply on the Web-Gui page. I follow your instruction exactly step by step for five times.
Firstly, I use this command:
Set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg
The openssl.cfg file is default configuration file that install with “Win64OpenSSL_Light-1_0_2f” file.
Then I use your command to create .csr and .key files:
openssl req -new -sha256 -newkey rsa:2048 -nodes -out yourdomain.csr -keyout yourdomain.key
I fill “Country Name”, “State” and so on with blank except “Common Name”.
I fill “Common Name” with “https://192.168.1.254”.
I fill the “Chalenge Password” and “An optional company name” with balnk too.
After these steps, I go to “https://startssl.com/” and sign my .csr file then follow the rest your command exactly.
Check out BryanB’s comments and see if that helps you.
Thanks for publishing this!
One thing I noticed while following your instructions is that the switch didn’t tolerate a newline at the end of some of the “END” lines so if folks are still having trouble (with a different error message) then make sure there is no newline after the last line of text in each of the cert/key fields.
I’ve automated the process of generating certs for these switches, and I think it is pretty obvious how to do that to most, but I’ll contribute to your work by providing these lines which clean up the public key file as you described:
sed -e “s/ PUBLIC/ RSA PUBLIC/” “$switch”_key.pub > “$switch”_key.pub.temp
sed -r -e “s/^MII\w{29}MII/MII/” “$switch”_key.pub.temp > “$switch”_key_cisco.pub
rm “$switch”_key.pub.temp
Reading more of the comments above, I think I recall discovering that the “inconsistent value” is the error the switch gives you when you have a newline character(s) at the end of the END lines. Don’t terminate the last line with a newline in the web form and you should be fine.
Thanks for the script and for the insight Bryan! I suck at thinking along those lines unless it’s something I do a lot, which in this case for me was only once. 😉
Thank for reply. I check it out. I remove the all newlines from the last line of “Certificate”, “Public key” and “Private key”, however, my problem hasn’t solved. I appreciate everything you do.
Guy, you’re a star!
Cisco: WHAT WERE YOU THINKING?!!
Also thanks to Bryan B for the newline at end Tip to prevent “inconsistent value”.
You can also generate the type of public RSA key format the switch is looking for using this openssl command:
openssl rsa -in private/example.key.pem -RSAPublicKey_out
Awesome tip, thanks! Way easier than my way. LOL
I use another openssl from http://gnuwin32.sourceforge.net/packages/openssl.htm
that recommended from this link:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/4_1/sme/configuration/guide/smebook/cert.html
I use this command:
“OpenSSL> genrsa –out privkey.key 2048 –config openssl.cnf”
So, I can create private key then I use this command to create certificate:
“OpenSSL> req –x509 –new –nodes –key privkey.key –days 365 –out cacert.pem –outform PEM –config openssl.cnf”
I create the public key as same as the above instruction.
Then, I copy and paste the “Private Key”, “Certificate” and “Public Key” that I made.
Import Success!!! 🙂
I try create the csr file then sign using https://startssl.com/ but this site doesn’t accept my csr file.
So, I create the crt with this command:
“OpenSSL> req –x509 –new –nodes –key privkey.key –days 365 –out cacert.crt –config openssl.cnf”
I’m glad, however when create the crt file for install certificate in client browser and install it into trusted root, my browser can’t connect to switch with https.
Could you help me, please?
Do you have https access enabled on the switch? I can’t remember what option it’s under, but you may have to enable it.
Yes, I enabled that.
My problem has been solved. It’s occurred because the sign algorithm was SHA1. the new browser doesn’t accept this weak algorithm so I use the “-sha256” switch to create SHA2 sign algorithm.
I appreciate everything you do.
Hi
I am have issues with my SG300-28 switch, which won’t import a OpenSSL certificate.
I have created a Cisco Support Community about it:
https://supportforums.cisco.com/discussion/13045686/issue-importing-ssl-certificate-sg300-28
Basically I have done very similar to this blog-post (but of cause found the blogpost afterwards).
I am running firmware 1.4.5.02.
My OpenSSL command, looked like this:
openssl req -new -newkey rsa:2048 -nodes -out switch_home_hazenet_dk.csr -keyout switch_home_hazenet_dk.key -subj “/C=DK/ST=Jylland/L=Hedensted/O=Hazenet/OU=Home/CN=switch.home.hazenet.dk”
I signed it with StartSSL.
But when I try to import it, I get “Failed to load public key”
Even though I have the Private Key in RSA format, and I have added “RSA” to the Public Key header.
Any ideas?
Damn, that’s a complicated setup messing up with the keys, great work Cisco!
Anyways, thanks for the guide, it worked perfectly for me on a SG300-28 switch. I used my own CA.
I have a problem. I am using SG300-20. I cannot paste in the the RS 2048 certificate generated by StartSSL. I copied the entire contents and it won’t paste the entire thing, it is truncated. I made sure this is the 2048 bit key. Also, if I click generate certificate request on the switch web page, the fields are disabled and I cannot copy.
Nevermind, I was able to get it to work. The trick is, I had to use Internet Explorer 11 in compatibility mode. The field for the Certificate allows only 2048 characters even though a 2048 RSA cert is 2476 characters. So an error on Cisco’s part.
Thank you so much! This was incredibly helpful!
Thank you. This was immensely helpful.
I also had trouble with keys bigger than 2048 bits. I used the command line to add keys, hoping I could work around the the limit in the text field in the web interface, but got errors like “Wrong private key footer format” when trying 3072-bit and 4096-bit keys. This occurred even though the keys were adjusted as described in this article. The same procedure with a 2048-bit key worked fine.
I can’t find anything in the documentation about a 2048-bit limit, but that seems to be the max. Has anybody had any success with larger keys?
Also, I don’t see it anywhere on this page, so I might as well mention it: to add keys/certs from the CLI, you ssh in and run the following commands:
conf
crypto certificate 2 import
[paste the private key; hit return]
[paste the adjusted public key; hit return]
[paste the certificate; hit return]
.
ip https certificate 2
end
And then, to save:
copy running-config startup-config
Thank you! This helped me fix the new Chrome strict subjectAltName enforcement on some SG350s.
Thanks very much for this. What’s frustrating is that the certificate actually contains a copy of the public key, so why Cisco need it to be entered separately (and in a different format) is a mystery.
Hi guys,
does anyone of you has newer switches like SG220 or SG250s?
How is it there with SSL certs? Looks like Cisco removed ssl cert upload option from SG220 GUI.
What about CLI?
How is it with SG250?
Thank you
Thanks. Worked perfectly on SG300-10.
Firmware 1.4.8.6 on my SG500 appears to have fixed the issues I had attempting to generate and import and 2048 bit certificate via the web interface and AD Cert Serv. So looks like they might have *finally* improved the cert process!
Hey there,
Thank you a lot for this. I’ve found this information already years ago very handy, and had to come back several times… there fore i thought about contributing a little…
Therefore i made a little bat file were you can drag and drop just a private key and it gives you the needed fromats of the private key and the public key without tinkering around inside….
So have fun with it.
[code/]
REM —————————————————
REM Cisco SG200-xx Certificate Key Modifier
REM
REM based on following informations:
REM “http://www.severehalestorm.net/?p=54”
REM “https://stackoverflow.com/questions/18039401/how-can-i-transform-between-the-two-styles-of-public-key-format-one-begin-rsa”
REM
REM v1.0
REM Thomas Jung
REM 27.07.2018
REM
REM Prequesites:
REM the openssl installation path has to be with in the system path variable so that openssl directly runs from commandline
REM
REM Usage:
REM simple drag and drop a PKCS#8 formatted private key on this batchfile.
REM It will directly generate the needed privatekey in and publickey in the right format suitable for the switch.
REM
REM —————————————————
@ECHO OFF
ECHO “%~1”
ECHO convert Base64 privatekey to pem-Format…
openssl.exe rsa -in “%~1” -outform pem > “%~1”.pem
ECHO Done
ECHO.
ECHO derive publickey from privatekey in pkcs#1 format…
openssl.exe rsa -in “%~1”.pem -RSAPublicKey_out > “%~1”.pub
ECHO Done
ECHO.
[/code]
Thanks for help! This was pain for a looong time for me.
With a new strict policy in Chrome browser and OpenSSL 1.1.1 implementing SAN definition in-line, I started to use this one-line request generator, that handles long name, short name and IP for the connection to switch management interface:
$ openssl req -new -subj “/C=TwoDigitCountryCode/ST=MyState/L=MyLocation/O=MyCompany/OU=IT/CN=cisco-sw-001” -addext “subjectAltName=IP:10.20.30.40, DNS:cisco-sw-001.mydomain.com, DNS:cisco-sw-001” -sha256 -newkey rsa:2048 -nodes -out ciscosw.csr -keyout ciscosw.key
Also note for all those poor souls using Windows Cetrification Authority: those are by default configured not to use SAN, so you don’t get correct certificates (yeah… facepalm). However, this can be easily set, see https://www.winsysadminblog.com/2017/05/how-to-allow-an-active-directory-certificate-authority-to-generate-certificates-with-a-subject-alternative-name-attribute/
It worked for me, a big thanks!
Hello Guys I follow the steps for my Go Daddy Certificate it’s imported success fully but expire date is change and certificate is not working i am expecting this happed due to “You delete the first 32 characters and add “RSA” in front of public.” Please let me know your comment for this issue.
if any one is active please comment
Guy : Even though your post is 4 years old, it is still relevant and worked great to import my Comodo SSL certificate. Thank you very much for that guide.
Vaibhav Chillal : If you follow his guide step by step, it should work. Don’t forget, there is 2 x RSA text to be added on each key. One at the top and one at the bottom. Also, make sure time and date in your switch is set to your location if you’re using your switch for your CSR. In addition, depends on the text editor you are using, sometime the text is no properly copy-pasted. If there is only 1 character or space that shouldn’t be there, it is not gonna work.
Two (2) years ago, I was able to successfully import certificates & keys based on this page’s methods, but no go this time around. I suspect Cisco broke SSL certificate and key pair imports in firmware 1.4.11.2 for SG200 series switches (testing on a SG200-26 as I type this).
After meticulously generating & converting new keys, trimming line breaks, copying & pasting the certificates & keys, I receive the following error message: “SSL can’t import certificate – conversion of input to certificate failed.” I even tried using Internet Explorer 11 with compatibility mode enabled/disabled without success. 🙁
Specs: OpenSSL 1.1.x, RSA 2048, SHA256, certificate length 2,230 characters, using my domain’s Enterprise CA with all roots trusted.
Fun fact: I had imported RSA-PSS certificates 2 years ago in these switches. They worked just fine. Cisco always manages to mess something up with their SMB gear.
Update: updating to firmware 1.4.11.4 fixes the SSL certificate importing issues!
Important note: This does NOT work with openssl 3.x version, so make sure to use the old 1.1.x version!