Aruba & ProVision-based

HP 5412zl - Special attributes in SSL request - Create own SSL request

 
HEKnet
Advisor

HP 5412zl - Special attributes in SSL request - Create own SSL request

Hello,

 

I need to enable SSL on my HP 5412zl switches with CA-signed certificates. I know how to generate a certificate request with the WebAgent, but the request needs to have special attributes in order to be successfully signed by my CA that are not provided by the switch web GUI.

 

More precisely my certificate request either needs a valid email address in the "subject alternative name" (SaN) field or the common name must be of the pattern "<FQHN>/emailAddress=<email>". The latter is not possible, because the 5412zl does not accept more than 40 letters in the CN.

 

I know how to create proper requests with OpenSSL. I did this for all my servers.

 

Is there any way how I can create a request with OpenSSL and then install the signed certificate returned from my CA into the switch without using the certificate request mechanism built into the switch?

 

FYI: My CA is the DFN (= Deutsches Forschungsnetz = German Federal Research Network) and there is no option to go to another CA with less restrictions.

 

Matthias

3 REPLIES 3
Chrisd131313
Trusted Contributor

Re: HP 5412zl - Special attributes in SSL request - Create own SSL request

Hi HEKnet,

 

As far as I am aware there is no other way of installing a CA-issued certificate in a switch without using the WebAgent mechanism - I think the reasoning for this is that if you need to install a SSl cert then you will be using the WebAgent to connect, but if you are using the CLI then you will be using the key pairs and SNMPv3 if you will be using SNMP to manage the switch.

 

I would recommend a call to HP tech support. Maybe there is some other way of achieving what you want, but I get the feeling it is not public knowledge - maybe some of the other guys in here have an idea.

-----------------------------------------------------

Don't forget to mark a post resolved if your question was answered.
paulgear
Esteemed Contributor

Re: HP 5412zl - Special attributes in SSL request - Create own SSL request

Hi Matthias,

I have a feeling Chris is right, but there might be a way to install externally-generated keys and certs by copying the files directly to flash via sftp. I haven't got the doco or a switch to test handy, but i'll have a look in more detail later.
Regards,
Paul
Chrisd131313
Trusted Contributor

Re: HP 5412zl - Special attributes in SSL request - Create own SSL request

Hi Paul,

 

I had a rummage through sftp on a 5406zl and the only thing I could find was the manager and operator key_pairs for ssh, so I get the feeling the SSL certs. are tucked away in another NVRAM region - unfortunately :(

-----------------------------------------------------

Don't forget to mark a post resolved if your question was answered.