Hello, community
I have a problem with ssl certificate on switch office connect 1950
When I connect to switch HPE OfficeConnect by HTTPS Web-Interface, browser allert me that https connection is unsafe.
Should I to sign a ssl certificate on switch and add this certificate to administration browser?
Hello Andrei,
the switch is presenting a self-signed certificate, so any browser will allert if the certificate cannot be verified by an certifikate authority (which is the case here). You could instruct the browser accept the certificate. You could install a certificate issued by a certificate authority as well, then the browser should be able to access the authority to verify the certificate.
Regards
Hello @ITFred , hello @AndreiBike ,
to my knowledge there is no way to install a certificate via the Web GUI (unfortunately), so I am sending an example how to import a certificate via the CLI ( cannot bind a SSL policy with the HTTPS service in the Web-GUI, no menu tab is present, see step 2e, all other steps can be performed in the Web GUI). Please note that in the example below manual and SCEP enrollment (point 4 below) is shown, one of the two methods should be used.
In this example a Windows2012R was used, installed: Certificate Authority. IP address of the server: 172.16.16.5. The Comware switch is configured with IP address 172.16.16.3.
1. Preliminary:
a) Configure time server, make sure that the time and date setting are correct:
clock protocol ntp
ntp-service enable
ntp-service unicast-server 172.16.16.5
NTP server
c) Create user with corresponding privileges (allowed protocols: HTTP, HTTPS, FTP), start ftp server, allow FTP management protocol
local-user admin class manage
password hash $h$6$xNI11cYDSwODJVmU$zEC91VdMl64ckL1HrDjqfoZbw4O3TC9yBVeejo6qAU0WX/cnQQLehNoiv8HG5r21KNRjvL1/EF3pzM+DvfKGaA==
service-type ftp
service-type http https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
ftp server enable
user-interface vty 0 63
authentication-mode scheme
user-role network-admin
user-role network-operator
protocol inbound all
2. Configure PKI on the switch
a) Create rsa key
public-key local create rsa name testkey --testkey will be used when configuring pki domain in step 2 b)
b) Create pki domain
pki domain hpnlab
ca identifier Win2012Server -- not needed for manual installation
certificate request url http://172.16.16.5/certsrv/mscep/mscep.dll -- not needed for manual installation
certificate request from ca -- not needed for manual installation
certificate request entity comware7 -- pki entiti will be created in step 2 c)
certificate request mode auto -- not needed for manual installation
public-key rsa general name testkey --public key "testkey" was created in step 2 a)
undo crl check enable
c) Create PKI entity
pki entity comware7
common-name comware7.hpnlab.local
country CA
d) Create SSL policy, bind the PKI domain to the SSL policy, activate the policy
ssl server-policy hpnlab
pki-domain hpnlab
e) Bind the SSL policy to the HTTPS service, start HTTP/HTTPS the service
ip https ssl-server-policy hpnlab
-- please note that http and https service needs to be disabled, or the configuration will fail with error message : тАЮPlease stop HTTP and HTTPS server first.тАЬ, see c)
-- a reboot might be needed after the HTTP/HTTPS the service has been startet, "reboot" command in operator view.
ip https enable
ip http enable
3. Create certificates, import them on the switch
a) Import the CA certificate on the switch
Start a web browser, type http://localhost/certsrv/ or (in our example) http://172.16.16.5/certsrv/, choose "Download a CA certificate, certificate chain, or CRL", then "Download a CA certificate" -> "Save file"
b) Create a CSR request on the switch
pki request-certificate domain localdomain pkcs10
The request will be displayed on the terminal, example output:
*** Request for general certificate ***
-----BEGIN CERTIFICATE REQUEST-----
MIIBijCB9AIBADAtMQswCQYDVQQGEwJDQTEeMBwGA1UEAxMVY29td2FyZTcuaHBu
bGFiLmxvY2FsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUpF/DOYvODU+X
3NQEFQX1Bmxvi+7nsXHcHYMBN0Bo0qtb8HyRz1Fu1x2QfJWM6m4niv82Nug+v0KR
RMeKvVhD/aQHDni0ZICk5bl5yNBYSwxjETFQP8FRc7vaAfYWjwektXj2hkBmbVpj
iQu7CyC3mpuAwAiuCQ9aFdMxFS5pLQIDAQABoB4wHAYJKoZIhvcNAQkOMQ8wDTAL
BgNVHQ8EBAMCA/gwDQYJKoZIhvcNAQEEBQADgYEAEZloomZXP8qe1NU9S9I7/5X2
eyDWd7hN8nYU9imTPr2x/8v7QcttAVBP8VkTS74ZUcEC2rN/V+6KJ6uVYRyG5+W8
FU6isb2fYSaBsOSLncoInL2ng5wT4togPkQ+VC6+mKiSS1xova26X3R9M/lBnGwY
JjezloIQqMT6IAenKCY=
-----END CERTIFICATE REQUEST-----
Mark the the string between lines "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----", the string will be copied in the clipboard buffer. On the CA (Windows Server) start a web browser, go to
http://172.16.16.5/certsrv/
c) Create user certificate for the switch entity, configured under 2 )c.
On the http://localhost/certsrv/ web page choose "Request a certificate" -> "submit an advanced certificate request". Paste the CSR request string from step 3b) in the "Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7):" field,
then "Submit".
Based on the Windows Server configuration the certificate could be downloaded via the "Download certificate" link, or needs to be approved first. In the latter case go to Server Manager->Tools->Certification Authority.
Go to "Certification Authority(local)" -> Windows-Server-CA (the name of the server) -> "Pending Requests" folder, approve the request (the request will be moved to the "Issued Certificates" folder). Go to the "Issued Certificates" folder
right-click on the certificate, choose "Open", then "Details" tab -> "Copy to file". A wizard starts, choose "DER encoded binary X.509 (.CER)", filename and location.
d) Upload CA and entity certificates on the switch via FTP. In this example the Windows built-in ftp server is used.
C:\Users\Administrator>ftp 172.16.16.3
ftp>binary -- set transfer mode as binary
200 TYPE is now 8-bit binary
ftp>put certca.cer -- transfer CA certificate to the switch, file location flash:/
200 PORT command successful
150 Connecting to port 56959
226 File successfully transferred
ftp: 901 bytes sent in 0.01Seconds 128.71Kbytes/sec.
ftp>put certpkientity.ca
......
e) Import CA and local certificates
pki import domain hpnlab der ca filename flash:/certca.cer
pki import domain hpnlab der local filename flash:/certpkientity.ca
4. Request certificates via the network (SCEP protocol):
pki domain hpnlab
certificate request url http://172.16.16.5/certsrv/mscep/mscep.dll
pki retrieve-certificate domain hpnlab ca
pki request-certificate domain hpnlab password XXXXXXXXXXXXXXXX
The enrollment challenge password can be viewed at
http://172.16.16.15/certsrv/mscep_admin/
I hope it helps.
I have found one error, "localdomain" in step 3b should be "hpnlab" from step 2b