Solution: oc200, installing your own certificate from a pfx file

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Solution: oc200, installing your own certificate from a pfx file

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Solution: oc200, installing your own certificate from a pfx file
Solution: oc200, installing your own certificate from a pfx file
2020-09-22 11:22:03 - last edited 2020-09-23 08:05:37
Model: OC200  
Hardware Version:
Firmware Version: 4.1.5

Starting with version 4.1.5 you can install your own certificate within the oc200 appliance device.

I was struggeling to achive this, so here is my recipe on how to achive it.

 

1) we start with a "oc200.pfx" file. This is the starting point for me. 
It is beyond the scope of this recipe to explain how to get it, for me, I got it from my own Active Directory Certificate Authority. The file contains the private key, the certificate, the root certificate and intermediary certificates.

 

Suffice to say, the file is secured with a password, I uses "pfxpassword" for this solution.

 

2) You will need Java installed on your machine, JRE is sufficient, as we need the "keytool.exe" file.

 

3) now onto the magic, here is how you convert the pfx into a jks file

 

keytool -importkeystore -srckeystore oc200.pfx -srcstoretype pkcs12 -destkeystore oc200.jks -deststoretype JKS

 

You will be asked for a password, I choose "jkspassword"

 

4)  Now, all you need to do is upload the "oc200.jks" file to the controller, enter the two passwords, save everything at the bottom of the page, reboot the device and you are greeted with your own certificate.

 

 

  0      
  0      
#1
Options
4 Reply
Re:Solution: oc200, installing your own certificate from a pfx file
2020-09-22 12:57:53 - last edited 2020-09-23 08:05:37

@ronecker, note that the proprietary JKS keystore encryption format is deprecated since 2014. The default encryption format for Java keystores officially introduced in 2017 is PKCS12. If your certificate uses modern ciphers, changes are that keytool cannot encrypt them into JKS format.

 

Unfortunately SDN Controller refuses to upload PKCS12-encrypted certificates, albeit the controller can handle PKCS12 encryption format pretty well since version 2.5. It's just the SDN Controller's web UI which refuses to upload this format (in the software controller it can be installed manually). This is considered a bug and it has been reported already to TP-Link. According to TP-Link support this bug will be fixed in a future version of SDN Controller, including the OC200 firmware.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#2
Options
Re:Solution: oc200, installing your own certificate from a pfx file
2020-09-22 14:31:15 - last edited 2020-09-23 08:05:37

@R1D2 as you correctly point out, JKS is deprecated and again correctly that it is the only acceped format for upload on the oc200 hardware.

So we are stuck with the JKS until the upload limitation gets changed in an upcoming release.

The command in 3) above would change into

 

keytool -importkeystore -srckeystore oc200.pfx -srcstoretype pkcs12 -destkeystore oc200.p12 -deststoretype PKCS12

 

as result you have a file named "oc200.p12" to work with.

 

In my example I used a "RSA 2048bit, sha256" certificate. Not great, but OK for the job. 
Sure, if you are looking into ECDSA and similar encryptions, you hit limitations

  0  
  0  
#3
Options
Re:Solution: oc200, installing your own certificate from a pfx file
2020-09-22 14:49:21 - last edited 2020-09-23 08:05:37

@ronecker, I fully agree. I just added the note b/c users of the Software Controller (not OC200) often need to add their public certificate signed by an official certificate authority if the controller runs in the cloud or on an Internet server (as for example our controller does).

In this case they can use PKCS12 already and install it manually since the SW controller's web UI has the same limitations as the OC200.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#4
Options
Re:Solution: oc200, installing your own certificate from a pfx file
2021-02-06 03:08:04

@ronecker Having just spent a couple of hours on this because Chrome won't even talk to the OC 200 with it's stock "localhost" certificate(*) here is what I got to

 

You need

  • crt file you created (I made mine with the CA built into pfSense)
  • Matching key file
  • Root CA crt file (in my case that's NSA.crt - short for no such agency :-)

 

Then I had to combine them into a pkcs12 file

 

openssl pkcs12 -export -in OC200.crt -inkey OC200.key -out OC200.p12 \
 -CAfile NSA.crt -caname root -name OC200 -chain

It will ask you for a password - add one according to taste.

 

Then using keytool turn that into a JKS

 

keytool -importkeystore -srckeystore OC200s.p12 -destkeystore OC200.jks \
 -deststoretype JKS -srcstoretype pkcs12 -srcstorepass "yourpassword"

 

It will ask you for a password for the JKS file - I used the same one.

 

The chaining the root was that part the took a while to figure out, our internal root cert is already in my Mac's trust store but it needed to be in the jks file as well for it to work.

 

* Since V69 or so Chrome (and Brave) won't accept self signed certs if the common name doesn't match the url.  Luckily Safari will so I could use that to install the new cert.

 

 

 

 

  0  
  0  
#5
Options