HPE Community
Comware Based
1753739 Members
4264 Online
108799 Solutions
New Discussion

Adding a SSL Certificate to 5500 HI Switch

 
Cüneyt
Occasional Contributor

‎11-26-2018 03:33 AM - last edited on ‎06-24-2021 06:43 AM by

‎11-26-2018 03:33 AM - last edited on ‎06-24-2021 06:43 AM by

Adding a SSL Certificate to 5500 HI Switch

Hello Folks, 

does anyone know how to add an SSL Certificate to 5500 HI Switch? The product number of the switch is JG542A. I have tried everything I could but without any success. I've followed the configuration guide but still no luck. The whole command line is as below. If anyone knows how to do that, please help me.... 

[HP]

[HP]

[HP]

[HP]

[HP]pki

[HP]pki en

[HP]pki entity en

[HP-pki-entity-en]com

[HP-pki-entity-en]common-name http-server1

[HP-pki-entity-en]fqdn bsca.bilgisistemleri.com.tr

[HP-pki-entity-en]quit

[HP]save s

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait....

The current configuration is saved to the active main board successfully.

Configuration is saved to device successfully.

[HP]

[HP]

[HP]pki dom

[HP]pki domain 1

[HP-pki-domain-1]ca ide

[HP-pki-domain-1]ca identifier ?

  TEXT  CA identifier(String length ranges from 1 to 63)

[HP-pki-domain-1]ca identifier CA ?

   TEXT

   <cr>

 

[HP-pki-domain-1]ca identifier CA bsca

[HP-pki-domain-1]cer

[HP-pki-domain-1]certificate re

[HP-pki-domain-1]certificate request ur

[HP-pki-domain-1]certificate request url http://192.168.5.29/certsrv/mscep/mscep.dll

[HP-pki-domain-1]cer

[HP-pki-domain-1]certificate req

[HP-pki-domain-1]certificate request fr

[HP-pki-domain-1]certificate request from ra

[HP-pki-domain-1]cer

[HP-pki-domain-1]certificate re

[HP-pki-domain-1]certificate request en

[HP-pki-domain-1]certificate request entity en

[HP-pki-domain-1]publi

[HP-pki-domain-1]qu

[HP-pki-domain-1]quit

[HP]publ

[HP]public-key rsa ge

[HP]public-key ?

  local  Local public key pair operations

  peer   Peer public key configuration

[HP]public-key lo

[HP]public-key local cre

[HP]public-key local create rsa ?

  <cr>

[HP]public-key local create rsa

Warning: The local key pair already exist.

Confirm to replace them? [Y/N]:y

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to end.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++++++

++++++

+++

++++++++++++++++++

 

[HP]pki req

[HP]pki req

[HP]pki request-certificate dom

[HP]pki request-certificate domain 1

Certificate is being requested, please wait......

[HP]

Certificate request failed.

2 REPLIES 2
network_king
HPE Pro

‎11-26-2018 07:17 PM - last edited on ‎06-24-2021 06:43 AM by

‎11-26-2018 07:17 PM - last edited on ‎06-24-2021 06:43 AM by

Re: Adding a SSL Certificate to 5500 HI Switch

Hi,

 

I have used manual mode to obtain the certificate & below are the steps followed to achieve the same.

 

 

Step - 1

pki entity hpen
common-name hp
country us

pki domain hpe
ca identifier hpn
certificate request from ca
certificate request entity hpen
crl check disable

Step - 2

User-added image

I have downloaded & imported file to switch (flash:/one.cer). Also,
attached certificate for your reference.


Step - 3

[HP]pki import-certificate ca domain hpe der filename one.cer
The trusted CA's finger print is:
MD5 fingerprint:1ABC 2DEF G3HI 1ABC 2DEF G3HI G3HI 1ABC
SHA1 fingerprint:5678 9L63 7673 G3HI DF53 2DEF F0D7 2DEF 8FFD 1744

Is the finger print correct?(Y/N):y

%Nov 20 09:17:11:661 2018 HP PKI/6/PKI_CA_CERT_TRUSTED: Root CA
certificate of the domain hpe is trusted....
Import CA certificate successfully.
%Nov 20 09:17:15:136 2018 HP PKI/6/PKI_IMPORT_CA_CERT_SUCC: Imported CA
certificates of the domain hpe successfully.

[HP]public-key local create rsa
Warning: The local key pair already exist.
Confirm to replace them? [Y/N]:y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to end.
Input the bits of the modulus[default = 1024]:2048
Generating Keys...
+++++++++
++++++++++++++++
++++++
+++++++++++

[HP]public-key local create dsa
Warning: The local key pair already exist.
Confirm to replace them? [Y/N]:y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to end.
Input the bits of the modulus[default = 1024]:2048
Generating Keys...
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++(omitted
output to save space)


[HP]pki request-certificate domain hpe pkcs10
-----BEGIN CERTIFICATE REQUEST-----
XxxXXxXXXXxXXXXxXXXxXXXXyyyyXXxxxzZZZZAAaCCCbUUUQQQzzOUNMzz
XxxXXxXXXXxXXXXxXXXxXXXXyyyyXXxxxzZZZZAAaCCCbUUUQQQzzOUNMzz
XxxXXxXXXXxXXXXxXXXxXXXXyyyyXXxxxzZZZZAAaCCCbUUUQQQzzOUNMzz
XxxXXxXXXXxXXXXxXXXxXXXXyyyyXXxxxzZZZZAAaCCCbUUUQQQzzOUNMzz
XxxXXxXXXXxXXXXxXXXxXXXXyyyyXXxxxzZZZZAAaCCCbUUUQQQzzOUNMzz
XxxXXxXXXXxXXXXxXXXxXXXXyyyyXXxxxzZZZZAAaCCCbUUUQQQzzOUNMzz
XxxXXxXXXXxXXXXxXXXxXXXXyyyyXXxxxzZZZZAAaCCCbUUUQQQzzOUNMzz
-----END CERTIFICATE REQUEST-----


User-added image
Paste the key generate in switch & submit then download der encoded
certificate & upload the file to switch (flash:/two.cer). Also, attached
certificate for your reference.

Step - 4

[HP]pki import-certificate local domain hpe der filename two.cer
%Nov 20 09:56:59:717 2018 HP PKI/6/PKI_VERIFY_CERT_SUCC: Verified the
certificate CN=hp,C=US of domain hpe successfully....
Import local certificate successfully.
%Nov 20 09:57:03:225 2018 HP PKI/6/PKI_IMPORT_LOCAL_CERT_SUCC: Imported
local certificate of the domain hpe successfully.


verify the certificate.

dis pki certificate ca domain hpe
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1XXX0887 8XX4X0XX 4X1943X4 XX4XXX29
Signature Algorithm: sha1WithRSAEncryption
Issuer:
DC=local
DC=hpn
CN=hpn
Validity
Not Before: Oct 17 11:22:19 2018 GMT
Not After : Oct 17 11:31:38 2023 GMT
Subject:
DC=local
DC=hpn
CN=hpn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00X91X46 741329XX 8200X4X7 9027ABC4
D46CEFGF 4H863IJ9 4K540LMN 40O3P6Q2
00X91X46 741329XX 8200X4X7 9027ABC4
D46CEFGF 4H863IJ9 4K540LMN 40O3P6Q2
DA30ED99 ECEA9D50 EEBD0878 2D477FEB
D46CEFGF 4H863IJ9 4K540LMN 40O3P6Q2
00X91X46 741329XX 8200X4X7 9027ABC4D46
00X91X46 741329XX 8200X4X7 9027ABC4
D46CEFGF 4H863IJ9 4K540LMN 40O3P6Q2
00X91X46 741329XX 8200X4X7 9027ABC4
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
6E8B4C29 AF91CB72 DEA7FE39 99297A6E 08E095AC
X509v3 CRL Distribution Points:

URI:ldap:///CN=hpn,CN=hpn,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=hpn,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://hpn.hpn.local/CertEnroll/hpn.crl

1.3.6.1.4.1.311.21.1:
0000 - 02 01 ..
0003 -

Signature Algorithm: sha1WithRSAEncryption
D46CEFGF 4H863IJ9 4K540LMN 40O3P6Q2
00X91X46 741329XX 8200X4X7 9027ABC4
D46CEFGF 4H863IJ9 4K540LMN 40O3P6Q2
00X91X46 741329XX 8200X4X7 9027ABC4D46
00X91X46 741329XX 8200X4X7 9027ABC4

 Note: Ciphers supported by 5500 switch are only as below.

rsa_3des_ede_cbc_sha RSA_3DES_EDE_CBC_SHA
rsa_aes_128_cbc_sha RSA_AES_128_CBC_SHA
rsa_aes_256_cbc_sha RSA_AES_256_CBC_SHA
rsa_des_cbc_sha RSA_DES_CBC_SHA
rsa_rc4_128_md5 RSA_RC4_128_MD5
rsa_rc4_128_sha RSA_RC4_128_SHA

 

I am an HPE Employee

Accept or Kudo

0 Kudos
Cüneyt
Occasional Contributor

‎11-26-2018 11:31 PM

‎11-26-2018 11:31 PM

Re: Adding a SSL Certificate to 5500 HI Switch

hello my friend, 

somehow I've got stuck. I have followed your steps till the final part of step 3. at this point, I'm not able to accomplish this step. The cerifitcation server doesn't allow me to submit the key. I would appreciate if you could help us via remote desktop. 

We use our own Windows based Certification Server. 

User-added image
Paste the key generate in switch & submit then download der encoded
certificate & upload the file to switch (flash:/two.cer). Also, attached
certificate for your reference.

Kind regards,

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.