HPE Community
Comware Based
1823950 Members
3764 Online
109667 Solutions
New Discussion

HPE OfficeConnect 1920 24G POE+ JG926A Switch Importing Certificates for SSH and HTTPS Auth.

 
chris_rion
Occasional Contributor

‎03-24-2019 07:16 AM - last edited on ‎03-24-2019 09:42 PM by

‎03-24-2019 07:16 AM - last edited on ‎03-24-2019 09:42 PM by

HPE OfficeConnect 1920 24G POE+ JG926A Switch Importing Certificates for SSH and HTTPS Auth.

Hi all, I'm very excited; I found a 1920 JG926A for $80 last week, and thought it would be inexpensive hardware to use for learning about networking.  Perhaps my questioning will be too basic for you, buit I'm hopeful.  I have a little experience generating certificates for SSH, FTPS, and a couple other services on my LAN at home, and noticed that I can enable certificate authentication for SSH and HTTPS login for the switch, but the HTTP UI seems unintuitive (Perhaps again, due to my own lack of experience.).  Needless to say, upon my first console login to the switch, the command list seems sparse compared to other switches, and even HP switches I've logged in to.

 

 

The switch has the following software installed:

5.20.99 Release 1120

Bootrom: 122

 

 

I suspect those of you reading this are curious how I generated my root certificate?  Using win32openssl-x64-1.0.2e, here are the commands issued:

 

openssl.exe genrsa -out 90degnet_gate2_ca.key 1024

openssl.exe req -new -x509 -days 9999 -key 90degnet_gate2_ca.key -out 90degnet_gate2_ca.crt -subj "/C=US/ST=Iowa/L=Cedar Rapids/O=90DegNet/OU=Admin Ops/CN=90deg.net/emailAddress=rion.chris@gmail.com/subjectAltName=90DegNet gate2 Administrative Services CA"

 

 

The switch accepted this certificate after I stumbled upon text in the user manual (Which also seems to assume that I know what I'm doing.  Certainly not helpful.), stating I need to compute either the MD5 or SHA1 checksum of the certificate, and add that string to:

"Authentication" > "Certificate Management" > "Domain" tab > PKI Domain configured for manual request mode > "Fingerprint" textarea

The root certificate is accepted by the switch!  Terrific!

 

 

After this seemingly-successful step, things begin to fall apart.  I next generate a child certificate, signed with the root certificate I generated earlier.  I intend to use this child certificate (And hopefully at a future date, another certificate for SSH access, also generated using the root certificate I generated earlier.) for HTTPS access.  The commands I issued are as follows:

 

openssl.exe genrsa -out 90degnet_gate2_http.key 1024

openssl.exe req -new -key 90degnet_gate2_http.key -out 90degnet_gate2_http.csr -subj "/C=US/ST=Iowa/L=Cedar Rapids/O=90DegNet/OU=Admin Ops/CN=192.168.1.2/emailAddress=rion.chris@gmail.com/subjectAltName=90DegNet gate2 Administrative Services HTTPS Certificate"

openssl.exe" x509 -req -days 9999 -in "90degnet_gate2_http.csr" -CA "90degnet_gate2_ca.crt" -CAkey "90degnet_gate2_ca.key" -set_serial 10110 -out "90degnet_gate2_http.crt"

I then use FTP to copy the .crt and.key files to the switch.  When I try to add the above certificate as a local certificate in offline mode, I receive the message, "No certificate or No certificate matched with hostkey in the file.".  Next, I thought; "Since the UI said it couldn't find a matching host key, perhaps if I convert the .crt and .key to PKCS12 and upload it, the switch will accept it?".

 

I then convert the certificate, issuing the following command:

openssl.exe pkcs12 -export -out "90degnet_gate2_http_cert_and_key.pkcs12" -inkey "90degnet_gate2_http.key" -in "90degnet_gate2_http.crt"

When I attempt to import the PKCS12 file, making sure to input the correct passphrase however, I receive the message, "Both local device and import file has a key, please choose one of them.".  Then when I attempt to perform the same operation again, but omitting the passphrase, I get the message, "Fail to parse pkcs#12 file.".  Aggrevation and confusion!

 

I'm not expecting easy answers (Perhaps hoping for them, though!), just very detailed ones.  And, in the interest of learning, please feel free to be constructively-harsh in any critique; it's a time-saver, and in the interest of my taking accurate notes on the subject, appreciated.

 

In addition, I thought I would note that when I select the root certificate as the authetication token for HTTPS for example, then install the root certificate into my operating systems' (Windows 7 SP1 64bit) trusted root certificate store, the connection encrypts (With of course, a complaint that the domain isn't correct, given the input during generation.)!  A comforting step in the right direction, but certainly not the certificate I want to use.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.