Certificate Chain with HTTPS module

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Certificate Chain with HTTPS module

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Certificate Chain with HTTPS module
Certificate Chain with HTTPS module
2023-04-15 14:54:05
Model: TL-SG3210  
Hardware Version: V3
Firmware Version: 3.0.7 Build 20221130 Rel.42340

Hello,

 

I'm trying to get HTTPS to work on my TL-SG3210 switch.

 

Unfortunately I'm not able to get a certificate chain working with the HTTPS module.

 

I tried the following two formats:

 

Bag Attributes
    localKeyID: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX 
    friendlyName: XXXXXXXXXXXX
subject=/C=<COUNTRY_CODE>/ST=stateOrProvinceName/L=Locality/O=Organisation/CN=xxxx/emailAddress=email
issuer=/C=<COUNTRY_CODE>/ST=stateOrProvinceName/L=Locality/O=Organisation/CN=domains CA/emailAddress=email
-----BEGIN CERTIFICATE-----
*
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=/C=<COUNTRY_CODE>/ST=stateOrProvinceName/L=Locality/O=Organisation/CN=domains CA/emailAddress=email
issuer=/C=<COUNTRY_CODE>/ST=stateOrProvinceName/L=Locality/O=Organisation/CN=root CA/emailAddress=email
-----BEGIN CERTIFICATE-----
*
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=/C=<COUNTRY_CODE>/ST=stateOrProvinceName/L=Locality/O=Organisation/CN=root CA/emailAddress=email
issuer=/C=<COUNTRY_CODE>/ST=stateOrProvinceName/L=Locality/O=Organisation/CN=root CA/emailAddress=email
-----BEGIN CERTIFICATE-----
*
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX 
    friendlyName: XXXXXXXXXXXX
Key Attributes: <No Attributes>

 

 

And one without attributes:

 

-----BEGIN CERTIFICATE-----
*
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
*
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
*
-----END CERTIFICATE-----

 

In both cases, the file gets rejected.

 

If I only provide one certificate in the file, it works.

 

This guide talks about the format which certificates need to have.

 

It only says that 

 

-----BEGIN CERTIFICATE-----
*
-----END CERTIFICATE-----

 

Is supported.

 

Is it possible to have the switch use a certificate with a chain instead of just a certificate?

Kind regards

  0      
  0      
#1
Options
4 Reply
Re:Certificate Chain with HTTPS module
2023-04-16 03:17:19

  @Marco2023 

To access a switch with HTTPS, only a server certificate is required on the switch. It is always a single certificate. The validation chain for that certificate is to be installed on the client side, that is the device you use to access the switch. 

 

Kris K
  0  
  0  
#2
Options
Re:Certificate Chain with HTTPS module
2023-04-16 20:06:50

  @KJK I'm aware that you can mitigate the issue by having the client trust the entire certificate chain.

 

However, this is usually not how it's done and I'm kind of disappointed that I'm not able to have the HTTPS server serve the entire certificate chain.

  0  
  0  
#3
Options
Re:Certificate Chain with HTTPS module
2023-04-17 08:01:57 - last edited 2023-04-17 08:02:52
Just striving to develop myself while helping others.
  2  
  2  
#4
Options
Re:Certificate Chain with HTTPS module
2023-04-17 15:16:02

  @Virgo Unfortunately this doesn't work for me.

 

I created the .pfx the same way OP did except for the -legacy flag because my system doesn't support it:

 

openssl pkcs12 -export -inkey privkey.pem -in fullchain.pem -out certificate_legacy.pfx -name eap -passout pass:admin

 

Also, I don't know what password to specify.

 

However, specifying my login password, or an empty password both don't work: the file gets rejected.

 

I'm not using Omada Controller by the way.

  0  
  0  
#5
Options