Adding an SSL certificate for Cisco SG series switches

This has been beating me over the head for ages, so now that I finally made it work, I decided I best share it with the masses to hopefully help others who’ve similarly had issues.

I own and use a Cisco SG200-26 switch at home.  A bit of overkill for a home network, but it works great and I love the functionality it gives me.  However, when accessing the switch to do any sort of configuration, I was always annoyed by the certificate errors when accessing it via HTTPS.  No matter how I tried to get a valid certificate on there, I kept getting errors.  After much researching and desk head banging I finally found a way to get a signed SHA2 cert to install using OpenSSL.

If you have your own CA, hopefully this will help you get your certificate to work.  Otherwise, you should be able to use your CA of choice.  (Edit: references to previously recommended CA removed.)

First, forget using the CSR generated by the switch.  The CA I used won’t accept it and I gave up on trying to figure out what was wrong with the format.  Use OpenSSL to generate your own key and a CSR for the switch.

(Edit: you HAVE to use a 2048 bit key. A 4096 bit key won’t paste into the web interface.)

$ openssl req -new -sha256 -newkey rsa:2048 -nodes -out yourdomain.csr -keyout yourdomain.key -subj "/C=[Insert country here]/ST=[Insert state here]/L=[Insert city here]/O=example.com/CN=yourserver.example.com"

Log in, use the CSR and get your shiny new certificate.  Save it to your PC.

Now you’ve got to format the private key to match what Cisco is looking for on the switch.  If you look at the key generated it starts out something like this:

-----BEGIN PRIVATE KEY-----
MI...
(a whole bunch of text)
...M=
-----END PRIVATE KEY-----

Cisco won’t take it.  You’ve got to convert it to PEM.  So do this:

$ openssl rsa -in yourdomain.key -outform pem > yourdomain.pem
writing RSA key

Take a look at your new key, and now you’ll see this:

-----BEGIN RSA PRIVATE KEY-----
MI...
(a whole bunch of text that looks different)
...7D
-----END RSA PRIVATE KEY-----

THIS private key will work.  Now you need your public key.  So do this:

$ openssl rsa -in yourdomain.pem -pubout > yourdomain.pub
writing RSA key

So now you have your shiny public key ready to go:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9Z
iWn63D9K2iNNAR/FSnP+tjyhp+6bHRQOs8FyQLOfiBZR8DW72aqrbFD7cUYgX0Iv
JgpdjWLSxJXi/hbi9rDQFMHAe3qqPn104CaDfxnv7hOfR3+ct9sdCAB/ChoIVCEp
GCn9dRwlEVi1DZ8sN5tVH0/wwqW7MfxPdPuyfqjc/ZoPobVUtq/ovyQi1IaMUFKV
dlXlJ9XQcpZDz6pwEb4ji3E2fMA1gMcO38hX7BV0S0xrTqAB++9gP3MMCu4ZlKFh
ei9q4E1M6psTWnYIgNOo5NMk7tJP1O0Cc6REOV7bft8y0TqZ4qsza+K1Ow6GgYEL
vwIDAQAB
-----END PUBLIC KEY-----

However – and I know this is crap – this public key won’t work either.  I give all the credit to this guy who spelled out the reasoning and how to fix this.  It’s really very simple.  You delete the first 32 characters and add “RSA” in front of public.

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A  <-- 1st 32 characters to delete
MIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9Z
iWn63D9K2iNNAR/FSnP+tjyhp+6bHRQOs8FyQLOfiBZR8DW72aqrbFD7cUYgX0Iv
JgpdjWLSxJXi/hbi9rDQFMHAe3qqPn104CaDfxnv7hOfR3+ct9sdCAB/ChoIVCEp
GCn9dRwlEVi1DZ8sN5tVH0/wwqW7MfxPdPuyfqjc/ZoPobVUtq/ovyQi1IaMUFKV
dlXlJ9XQcpZDz6pwEb4ji3E2fMA1gMcO38hX7BV0S0xrTqAB++9gP3MMCu4ZlKFh
ei9q4E1M6psTWnYIgNOo5NMk7tJP1O0Cc6REOV7bft8y0TqZ4qsza+K1Ow6GgYEL
vwIDAQAB
-----END PUBLIC KEY-----

-----BEGIN RSA PUBLIC KEY-----  <-- RSA added
MIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9Z
iWn63D9K2iNNAR/FSnP+tjyhp+6bHRQOs8FyQLOfiBZR8DW72aqrbFD7cUYgX0Iv
JgpdjWLSxJXi/hbi9rDQFMHAe3qqPn104CaDfxnv7hOfR3+ct9sdCAB/ChoIVCEp
GCn9dRwlEVi1DZ8sN5tVH0/wwqW7MfxPdPuyfqjc/ZoPobVUtq/ovyQi1IaMUFKV
dlXlJ9XQcpZDz6pwEb4ji3E2fMA1gMcO38hX7BV0S0xrTqAB++9gP3MMCu4ZlKFh
ei9q4E1M6psTWnYIgNOo5NMk7tJP1O0Cc6REOV7bft8y0TqZ4qsza+K1Ow6GgYEL
vwIDAQAB
-----END RSA PUBLIC KEY-----  <-- RSA added

-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9ZiWn63D9K2iNNAR/FSnP+tjyhp+6bHRQO
s8FyQLOfiBZR8DW72aqrbFD7cUYgX0IvJgpdjWLSxJXi/hbi9rDQFMHAe3qqPn10
4CaDfxnv7hOfR3+ct9sdCAB/ChoIVCEpGCn9dRwlEVi1DZ8sN5tVH0/wwqW7MfxP
dPuyfqjc/ZoPobVUtq/ovyQi1IaMUFKVdlXlJ9XQcpZDz6pwEb4ji3E2fMA1gMcO
38hX7BV0S0xrTqAB++9gP3MMCu4ZlKFhei9q4E1M6psTWnYIgNOo5NMk7tJP1O0C
c6REOV7bft8y0TqZ4qsza+K1Ow6GgYELvwIDAQAB
-----END RSA PUBLIC KEY-----

The final product!  I went ahead and reformatted mine so that the length of each line was consistent.  I didn’t know how picky the switch was going to be when I imported it, so I figured why bother chancing it.

ANYWAY, now you’re ready to go into your switch settings and import your certificate and your keys!

Cisco SG200-26 Configuration

To add the cert, go under Security, then SSL Server, then SSL Server Authentication Settings.  This will pop up where you can insert your certificate into one of two places.  (You can already see mine!)  Click a check box for the one you want to replace, then click “Import Certificate…”

Cisco SG200-26 SSL Certificate Import

Enable Import RSA Key-Pair, then click the radio button next to Plaintext for your Private Key (since that’s how it’s stored).  Copy and paste your certificate (the one thing you didn’t have to mess with!) and the public and private keys that we made.  Click Apply.  Now click the radio button next to the number of the certificate slot you used where it says “SSL Active Certificate Number”.  Save your config.  DONE.  Now you’re secured, no more annoying messages, everyone’s happy.

I hope that someone finds this helpful!  Thanks Cisco for making such easy to work with gear! /sarcasm

32 Comments

  1. This is incredibly shameful behavior by Cisco to make importing an SSL certificate this hard. That company does NOT take security seriously.

  2. Thanks, this helped me. I’ve been frustrated by this for like 2 years!

  3. The certificate box doesn’t let me past my whole certificate in. It cuts it off so even after formatting all the keys, I can’t import my cert. I take it this is because my key is 4096bits long.

    • Ooh, good call. I only tried a 2048 bit key. I guess this is a limitation of the web interface.

  4. Thanks to this post. I have a problem. I gave this error “Inconsistent Value”. I did your instructions step by step moreover but I couldn’t import the certificate. Could you help me please?

    • At what point did you get the error? Can you document the steps you took and commands you made?

  5. I get “Inconsistent Value” error after I fill the “Certificate”, “Private Key”, “Public Key” and click apply on the Web-Gui page. I follow your instruction exactly step by step for five times.

  6. Firstly, I use this command:

    Set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg

    The openssl.cfg file is default configuration file that install with “Win64OpenSSL_Light-1_0_2f” file.

    Then I use your command to create .csr and .key files:

    openssl req -new -sha256 -newkey rsa:2048 -nodes -out yourdomain.csr -keyout yourdomain.key

    I fill “Country Name”, “State” and so on with blank except “Common Name”.
    I fill “Common Name” with “https://192.168.1.254”.
    I fill the “Chalenge Password” and “An optional company name” with balnk too.

    After these steps, I go to “https://startssl.com/” and sign my .csr file then follow the rest your command exactly.

  7. Thanks for publishing this!

    One thing I noticed while following your instructions is that the switch didn’t tolerate a newline at the end of some of the “END” lines so if folks are still having trouble (with a different error message) then make sure there is no newline after the last line of text in each of the cert/key fields.

    I’ve automated the process of generating certs for these switches, and I think it is pretty obvious how to do that to most, but I’ll contribute to your work by providing these lines which clean up the public key file as you described:

    sed -e “s/ PUBLIC/ RSA PUBLIC/” “$switch”_key.pub > “$switch”_key.pub.temp

    sed -r -e “s/^MII\w{29}MII/MII/” “$switch”_key.pub.temp > “$switch”_key_cisco.pub

    rm “$switch”_key.pub.temp

  8. Reading more of the comments above, I think I recall discovering that the “inconsistent value” is the error the switch gives you when you have a newline character(s) at the end of the END lines. Don’t terminate the last line with a newline in the web form and you should be fine.

    • Thanks for the script and for the insight Bryan! I suck at thinking along those lines unless it’s something I do a lot, which in this case for me was only once. 😉

  9. Thank for reply. I check it out. I remove the all newlines from the last line of “Certificate”, “Public key” and “Private key”, however, my problem hasn’t solved. I appreciate everything you do.

  10. Guy, you’re a star!

    Cisco: WHAT WERE YOU THINKING?!!

    Also thanks to Bryan B for the newline at end Tip to prevent “inconsistent value”.

  11. You can also generate the type of public RSA key format the switch is looking for using this openssl command:

    openssl rsa -in private/example.key.pem -RSAPublicKey_out

  12. I use another openssl from http://gnuwin32.sourceforge.net/packages/openssl.htm

    that recommended from this link:
    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/4_1/sme/configuration/guide/smebook/cert.html

    I use this command:
    “OpenSSL> genrsa –out privkey.key 2048 –config openssl.cnf”

    So, I can create private key then I use this command to create certificate:
    “OpenSSL> req –x509 –new –nodes –key privkey.key –days 365 –out cacert.pem –outform PEM –config openssl.cnf”

    I create the public key as same as the above instruction.
    Then, I copy and paste the “Private Key”, “Certificate” and “Public Key” that I made.

    Import Success!!! 🙂

    I try create the csr file then sign using https://startssl.com/ but this site doesn’t accept my csr file.

    So, I create the crt with this command:
    “OpenSSL> req –x509 –new –nodes –key privkey.key –days 365 –out cacert.crt –config openssl.cnf”

    I’m glad, however when create the crt file for install certificate in client browser and install it into trusted root, my browser can’t connect to switch with https.

    Could you help me, please?

    • Do you have https access enabled on the switch? I can’t remember what option it’s under, but you may have to enable it.

  13. Yes, I enabled that.
    My problem has been solved. It’s occurred because the sign algorithm was SHA1. the new browser doesn’t accept this weak algorithm so I use the “-sha256” switch to create SHA2 sign algorithm.
    I appreciate everything you do.

  14. Hi

    I am have issues with my SG300-28 switch, which won’t import a OpenSSL certificate.

    I have created a Cisco Support Community about it:
    https://supportforums.cisco.com/discussion/13045686/issue-importing-ssl-certificate-sg300-28

    Basically I have done very similar to this blog-post (but of cause found the blogpost afterwards).
    I am running firmware 1.4.5.02.
    My OpenSSL command, looked like this:
    openssl req -new -newkey rsa:2048 -nodes -out switch_home_hazenet_dk.csr -keyout switch_home_hazenet_dk.key -subj “/C=DK/ST=Jylland/L=Hedensted/O=Hazenet/OU=Home/CN=switch.home.hazenet.dk”

    I signed it with StartSSL.
    But when I try to import it, I get “Failed to load public key”
    Even though I have the Private Key in RSA format, and I have added “RSA” to the Public Key header.

    Any ideas?

  15. Damn, that’s a complicated setup messing up with the keys, great work Cisco!

    Anyways, thanks for the guide, it worked perfectly for me on a SG300-28 switch. I used my own CA.

  16. I have a problem. I am using SG300-20. I cannot paste in the the RS 2048 certificate generated by StartSSL. I copied the entire contents and it won’t paste the entire thing, it is truncated. I made sure this is the 2048 bit key. Also, if I click generate certificate request on the switch web page, the fields are disabled and I cannot copy.

  17. Nevermind, I was able to get it to work. The trick is, I had to use Internet Explorer 11 in compatibility mode. The field for the Certificate allows only 2048 characters even though a 2048 RSA cert is 2476 characters. So an error on Cisco’s part.

  18. Thank you. This was immensely helpful.

    I also had trouble with keys bigger than 2048 bits. I used the command line to add keys, hoping I could work around the the limit in the text field in the web interface, but got errors like “Wrong private key footer format” when trying 3072-bit and 4096-bit keys. This occurred even though the keys were adjusted as described in this article. The same procedure with a 2048-bit key worked fine.

    I can’t find anything in the documentation about a 2048-bit limit, but that seems to be the max. Has anybody had any success with larger keys?

    Also, I don’t see it anywhere on this page, so I might as well mention it: to add keys/certs from the CLI, you ssh in and run the following commands:

    conf
    crypto certificate 2 import
    [paste the private key; hit return]
    [paste the adjusted public key; hit return]
    [paste the certificate; hit return]
    .
    ip https certificate 2
    end

    And then, to save:

    copy running-config startup-config

  19. Thank you! This helped me fix the new Chrome strict subjectAltName enforcement on some SG350s.

  20. Thanks very much for this. What’s frustrating is that the certificate actually contains a copy of the public key, so why Cisco need it to be entered separately (and in a different format) is a mystery.

  21. Hi guys,
    does anyone of you has newer switches like SG220 or SG250s?
    How is it there with SSL certs? Looks like Cisco removed ssl cert upload option from SG220 GUI.
    What about CLI?
    How is it with SG250?

    Thank you

  22. Firmware 1.4.8.6 on my SG500 appears to have fixed the issues I had attempting to generate and import and 2048 bit certificate via the web interface and AD Cert Serv. So looks like they might have *finally* improved the cert process!

  23. Hey there,

    Thank you a lot for this. I’ve found this information already years ago very handy, and had to come back several times… there fore i thought about contributing a little…

    Therefore i made a little bat file were you can drag and drop just a private key and it gives you the needed fromats of the private key and the public key without tinkering around inside….

    So have fun with it.

    [code/]
    REM —————————————————
    REM Cisco SG200-xx Certificate Key Modifier
    REM
    REM based on following informations:
    REM “https://severehalestorm.net/?p=54”
    REM “https://stackoverflow.com/questions/18039401/how-can-i-transform-between-the-two-styles-of-public-key-format-one-begin-rsa”
    REM
    REM v1.0
    REM Thomas Jung
    REM 27.07.2018
    REM
    REM Prequesites:
    REM the openssl installation path has to be with in the system path variable so that openssl directly runs from commandline
    REM
    REM Usage:
    REM simple drag and drop a PKCS#8 formatted private key on this batchfile.
    REM It will directly generate the needed privatekey in and publickey in the right format suitable for the switch.
    REM
    REM —————————————————

    @ECHO OFF
    ECHO “%~1”
    ECHO convert Base64 privatekey to pem-Format…
    openssl.exe rsa -in “%~1” -outform pem > “%~1”.pem
    ECHO Done
    ECHO.
    ECHO derive publickey from privatekey in pkcs#1 format…
    openssl.exe rsa -in “%~1”.pem -RSAPublicKey_out > “%~1”.pub
    ECHO Done
    ECHO.
    [/code]

Leave a Reply