HPE Community
Web and Unmanaged
1752812 Members
6047 Online
108789 Solutions
New Discussion

Re: [Solved]: Anyone have tips to successfully enable HTTPS on the V1910s?

 
samnob
Occasional Visitor

‎06-22-2012 04:06 PM - edited ‎06-25-2012 09:07 AM

‎06-22-2012 04:06 PM - edited ‎06-25-2012 09:07 AM

[Solved]: Anyone have tips to successfully enable HTTPS on the V1910s?

I've spent way too much time trying to get these things to accept any type of certificate.
                                                                                                                                                             
The goal here is just to get https working so that passwords don't go to the login screen in clear text, I'm not really concerned about being able to trust the Certificate Authority.                                                                                                                                    
                                                                                                                                                             
Under Authority -> PKI                                                                                                                                       
                                                                                                                                                             
I'm first hitting the "Certificate" tab and then "Create Key"                                                                                                
                                                                                                                                                             
(That much was enough to get SSH working)                                                                                                                    
                                                                                                                                                             
Then I'm creating an "entity" with values that look like they'd be OK for the csr, and then creating a "domain" referencing that entity.                     
                                                                                                                                                             
I'm just giving local names to all this stuff. The only real data I've tried entering by this stage in the process is the real md5 or sha1 fingerprint of the CA's certificate. And I set the request mode to manual and disable Cert Revocation Lists.                                                                   
                                                                                                                                                             
I'm using openssl on  a Debian (GNU/Linux) system as the CA. So that's the ca.crt whose fingerprint  I put in the "domain".                                  
                                                                                                                                                             
Then it's back to the "Certificate" tab. Where we "request Cert" in offline mode. And the switch spits out a nice text CSR.                                  
                                                                                                                                                             
I take that back to my CA and generate a certificate signed by the ca. I do that, something like:                                                            
                                                                                                                                                             
./pkitool --sign hp.csr                                                                                                                                      
                                                                                                                                                             
or                                                                                                                                                           
                                                                                                                                                             
openssl ca -batch -in hp.csr -out hp.crt                                                                                                                     
                                                                                                                                                             
                                                                                                                                                             
                                                                                                                                                             
And now as far as I can tell I ought to be able to go to "Retrieve Cert" and upload my ca.crt and hp.crt.                                                    
                                                                                                                                                             
But it always fails and says                                                                                                                                 
                                                                                                                                                             
"Certificate Verification failed" 

 

So does anyone have an SSL setup that they can recommend? Or any other shortcut to getting https turned on in these things?

0 Kudos
1 REPLY 1
samnob
Occasional Visitor

‎06-25-2012 09:11 AM

‎06-25-2012 09:11 AM

Re: [Solved]: Anyone have tips to successfully enable HTTPS on the V1910s?

As I pondered how much "time" I had sunk into this silly problem. It occurred to me that I had never set up the clock on the switch.

It was set in the past, so the brand new certs I had gen'd had a notBefore= of what appeared to the switch as a date in the future.

I gave the switch an NTP server and it took both the ca and local cert right away.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.