ProCurve / ProVision-Based
cancel
Showing results for 
Search instead for 
Did you mean: 

Problem TA profile while enabling ssl on 2530

ITwoon
Member

Problem TA profile while enabling ssl on 2530

 

 I am having trouble implementing a CA for the webinterfaces on some of my HP switches (firmware YB.16.02.0016, type procurve (or aruba as they are called nowadays?) 2530) .

When installing the leaf cert I’m getting the message “Certificate being installed is not signed by the TA certificate.” And I can assure you it IS signed by the TA certificate.

What am I missing/doing wrong? Below the step by step actions.

 

These switches require a TA-profile etc.

So I created a TA profile:

crypto pki ta-profile netwerk

 

I created an Identity profile:

crypto pki identity-profile Domijn subject

Enter Common Name(CN) : sw1113

Enter Org Unit(OU) : Domijn

Enter Org Name(O) : ITwoon

Enter Locality(L) : Enschede

Enter State(ST) : Overijssel

Enter Country(C) : NL

 

I am using openssl to create my own CA plus leafcerts

Loaded my rootcert as TA:

copy tftp ta-certificate netwerk 10.10.1.60 netwerkCA2.crt

00000K Transfer is successful

 

Created a CSR:

crypto pki create-csr certificate-name sw1113  ta-profile netwerk usage web subject common-name sw1113 key-size 2048

-----BEGIN CERTIFICATE REQUEST-----

MIIBUDCBugIBADARMQ8wDQYDVQQDEwZzdzExMTMwgZ8wDQYJKoZIhvcNAQEBBQADg

........

oWFs5AWt+318e+W48gs7y7q60GBnkZ8dc5YgxLoHFsytih5bpsoWABQQABDZBFEqN

Pt9ahBS+zhSPrzM02ESYPXwmK/LOsVxbqnNPTHjg9LWcHfYQ3Lw51GrmKYuHRlCA=

=

-----END CERTIFICATE REQUEST-----

 Creating the leaf cert signed by the root cert with openssl and when installing strange things happen:

crypto pki install-signed-certificate

Paste the certificate here and enter:

 -----BEGIN CERTIFICATE-----

 MIIEcTCCA1mgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCTkwx

 EzARBgNVBAgTCk92ZXJpanNzZWwxETAPBgNVBAcTCEVuc2NoZWRlMQ8wDQYDVQQK

 EwZEb21pam4xDzANBgNVBAsTBklUd29vbjEbMBkGA1UEAxMSbmV0d2VyayBDQTIg

.....................

 jzT6hlcVoUVTU1xuaLgVJVPFq6/PmEkF7/ExRr1W6smq40VdodswiPnoqj0w3yxp

 r1p6t1hp3rRqv/W1hexk/wSy5Z9e8Du9vCUx7UOfSvSVIkqa8pAkjE8WPrkav//4

 +ZBNVVKuh2appFkJWXhAsJv3TOULCXI5DC+AwilwCpu56owAzA==

 -----END CERTIFICATE-----

Certificate being installed is not signed by the TA certificate.

And there we are!!

 

Admittedly, while signing the leaf cert, I enrich the leaf cert with all kinds of stuff:

Alternate names, CDP etc. But that should not be a problem, as far as I know….

 

To be complete, both certs:

 

CA:

-----BEGIN CERTIFICATE-----

MIIE4DCCA8igAwIBAgIJAMzdzyT1UFEyMA0GCSqGSIb3DQEBBQUAMIGXMQswCQYD

VQQGEwJOTDETMBEGA1UECBMKT3Zlcmlqc3NlbDERMA8GA1UEBxMIRW5zY2hlZGUx

DzANBgNVBAoTBkRvbWlqbjEPMA0GA1UECxMGSVR3b29uMRswGQYDVQQDExJuZXR3

ZXJrIENBMiBEb21pam4xITAfBgkqhkiG9w0BCQEWEmhlbHBkZXNrQGl0d29vbi5u

bDAeFw0xNzA0MDUxMTI1MjlaFw0yNzA0MDMxMTI1MjlaMIGXMQswCQYDVQQGEwJO

TDETMBEGA1UECBMKT3Zlcmlqc3NlbDERMA8GA1UEBxMIRW5zY2hlZGUxDzANBgNV

BAoTBkRvbWlqbjEPMA0GA1UECxMGSVR3b29uMRswGQYDVQQDExJuZXR3ZXJrIENB

MiBEb21pam4xITAfBgkqhkiG9w0BCQEWEmhlbHBkZXNrQGl0d29vbi5ubDCCASIw

DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJXIr8CNQqBwGAJ/6+NC0/oVI+1

Ae7P5wNdNWTV+j9+Vl3YaTQVSq3+hnNVfzOZhBApf4+g9+Sn1nAv/FtBxKJgMCSS

nOyEuJWkYsyBfp7NKFwrBZmGLO6JdkAeZG98BoHVEPLQ9Ee+4LVXN5MR7xETiz/9

2VUsYCrTHKlNCdjIZH2woHf6dxxApYmyvmzj3wHKH5UYWCDuGqGtM8QEviBYed3w

DB6vrq/VunjCG8xH4dbd8FCAo2WCQ+Jn0QNcSC0lwiVucjAkVAit58dB1Fkx4CuK

EKAFTKSBpJb+My/xx1L+HB0lMvcXGTwQCrvh24fZagyXM0KiuBiOhSzDxKUCAwEA

AaOCASswggEnMA4GA1UdDwEB/wQEAwIBhjAWBgNVHSUBAf8EDDAKBggrBgEFBQcD

ATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTzsXqpAj/jjPJ68ZBV7bP7yYUz

aDCBzAYDVR0jBIHEMIHBgBTzsXqpAj/jjPJ68ZBV7bP7yYUzaKGBnaSBmjCBlzEL

MAkGA1UEBhMCTkwxEzARBgNVBAgTCk92ZXJpanNzZWwxETAPBgNVBAcTCEVuc2No

ZWRlMQ8wDQYDVQQKEwZEb21pam4xDzANBgNVBAsTBklUd29vbjEbMBkGA1UEAxMS

bmV0d2VyayBDQTIgRG9taWpuMSEwHwYJKoZIhvcNAQkBFhJoZWxwZGVza0BpdHdv

b24ubmyCCQDM3c8k9VBRMjANBgkqhkiG9w0BAQUFAAOCAQEAdP30kzcCRAXWJAYr

eZs+2OUbf0qPYOjMEw/ORGUG5jB2GZ+eu7cjyZI2uUXlu66TiA72/EFX4QAgTzOO

TKBLwhHPbbQ6mWcE42G6UKA3HPTR4xQeUCUwZz/YakdpECchShYpVF9PIl61b/1u

e93YFMNfTjHbVuBymcbOf9xF2FujRGGPTa7R8OdGYUqVcTe/xZZG6+PhQV01Bpi5

DhAuafofiNi8sVHCKGc5Nk6xRLQbMkLuD2QciuZiTEtkOlxbtJcL2ecgvnHA9cyS

81CFPXLrhnobsthNLAF2l4OESwjncyWoQQOb1/Yj+gaFX3CSo5MQamoCo0znUOnx

jfhRhQ==

-----END CERTIFICATE-----

 

Leaf:

-----BEGIN CERTIFICATE-----

MIIEcTCCA1mgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCTkwx

EzARBgNVBAgTCk92ZXJpanNzZWwxETAPBgNVBAcTCEVuc2NoZWRlMQ8wDQYDVQQK

EwZEb21pam4xDzANBgNVBAsTBklUd29vbjEbMBkGA1UEAxMSbmV0d2VyayBDQTIg

RG9taWpuMSEwHwYJKoZIhvcNAQkBFhJoZWxwZGVza0BpdHdvb24ubmwwHhcNMTcw

NDExMDkxNTE1WhcNMjIwNDEwMDkxNTE1WjBoMQ8wDQYDVQQDEwZzdzExMTMxDzAN

BgNVBAsTBkRvbWlqbjEPMA0GA1UEChMGSVR3b29uMREwDwYDVQQHEwhFbnNjaGVk

ZTETMBEGA1UECBMKT3Zlcmlqc3NlbDELMAkGA1UEBhMCTkwwggEiMA0GCSqGSIb3

DQEBAQUAA4IBDwAwggEKAoIBAQDFsu7bNN3Qe4EF87UqmoSk1LGRbe1uoUP8WPkD

28W3/anXETNS+IDZO9Krce+6oxfCRbHOQB+PUcbq2A188iMJMx6kYw2Nbnr5TzDM

PLOrrimcCQYF5fFnAN6Q6V9YbZWy2qJLs+Fmw8TaPLOKT/36XY8exRAbJ32MMTQE

e/cx9bDmlLAG+Hy2uI88WySgCc2nOOOWxTUw7Ar3X8Asei6C8Zq1OfMzsCTNep3v

gqnV9LirDHzI5HcCH/2EuPcJ5QJ4jEzLo0UhXGqGObYs3m5GyWT4VkqxcovvosQb

c4bXk5+IMLNEhMQe2PY3A9oBya7myAMD9lEWxFJRWn1WTJSfAgMBAAGjgfUwgfIw

EwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMAwGA1UdEwEB/wQCMAAw

TgYDVR0RBEcwRYIYc3cxMTEzLm5ldHdlcmsuZG9taWpuLm5sghtzcnYtcC1zdzEx

MTMtMDEuaW5mcmEubG9jYWyCDDE3Mi4xNi4xLjE3MjBwBgNVHR8EaTBnMGWgO6A5

hjdodHRwOi8vbmV0d2Vya0NBc2VydmVyLm5ldHdlcmsuZG9taWpuLm5sL25ldHdl

cmtDQTIuY3JsgQIFYKIipCAwHjELMAkGA1UEBhMCTkwxDzANBgNVBAoMBkRvbWlq

bjANBgkqhkiG9w0BAQUFAAOCAQEAp9ljL3+HCYoKa+XRmvdWYtu9CKhf+J61GCgs

Rk4N9x3rFIGVXwNs+z8nHdyQYRVhTrNVZZjjNMgWgrzRjoVUVWXS90nIE8M6kUQM

7wpcfxkjPW1nSdUyaN1thiMeRAesVmNzpnHz8uLk0Mwx58iG67J4SuJpRicTDoQx

269yRkO9Tw9DiqL9nY5I6j+Kw5Tk2cTI6tdtxNQJ/6Qahcrow5XhpR2ljLgmBqih

8f+leuvV2jCoLY90eqZm7aPN8iNvAXqasxAyNgUieVyzlKojZ84C74hOm9V/ShHC

Xoc4wVLvsZopU7y3r/zGeCP1SW82eMOfARkUDQhpoBnYh1kTsQ==

-----END CERTIFICATE-----

 

Any assistance would be very much appreciated.

 

 

 

 

1 REPLY
MargaretN
Community Manager

Re: Problem TA profile while enabling ssl on 2530

It might be best to check with HPE Product Support

MargaretN
HPE Community Manager
Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise
CM_Cert_Logo_BW.png