4

Since it’s quite annoying to get the invalid certificate warning every time I connect to my switch, I want to install a custom HTTPS certificate signed by a Certificate Authority my machines trust. But I can’t figure out Netgear’s ridiculous certificate configuration UI. It only gives the option to upload the following:

  • SSL Trusted Root Certificate PEM File
  • SSL Server Certificate PEM File
  • SSL DH Weak Encryption Parameter PEM File
  • SSL DH Strong Encryption Parameter PEM File

There’s no option to upload a key, or to generate a CSR on the switch (like any sane security system would). The Netgear forums indicate there’s some magic combination of how to do this, but most posts are either incomplete or don’t advise how to get a CA-signed cert to work (only a lone, self-signed key). The official manual is even less helpful, saying nothing more than “[ensure] the file is in the correct format”.

What’s the right way to configure this?

Andrew Marshall
  • 414
  • 4
  • 13

6 Answers6

4

First, this should work on any Netgear firmware with a similar UI, but for reference, this is a GS724Tv4 with firmware 6.3.0.9.

I’m going to assume existing knowledge of how to create a root CA, intermediate CA, and create and sign certificates (if not, see e.g. OpenSSL Certificate Authority). We’ll need the following:

  • Root CA certificate (root.cert.pem)
  • Intermediate CA certificate (intermediate.cert.pem)
  • Server certificate with commonname for the switch (switch.cert.pem)
  • Server key corresponding to the server certificate (switch.key.pem)
  • DH 1024-bit params, perhaps 2048-bit would be better (dhparams.pem)

Create two files:

  • The cert chain: cat root.cert.pem intermediate.cert.pem > ca-chain.pem
  • The certificate + key: cat switch.cert.pem switch.key.pem > switch-combined.pem

In the switch’s web UI:

  1. Security → Access → HTTPS → HTTPS Configuration → Set “HTTPS Admin Mode” to “Disable”, Apply.
  2. Security → Access → HTTPS → Certificate Management → Set “Delete Certificates”, Apply.
  3. Maintenance → Download → HTTP File Download
    1. Select “SSL DH Strong Encryption Parameter PEM File”, and choose dhparams.pem, Apply.
    2. Select “SSL Trusted Root Certificate PEM File”, and choose ca-chain.pem, Apply.
    3. Select “SSL Server Certificate PEM File”, and choose switch-combined.pem, Apply.
  4. Security → Access → HTTPS → Certificate Management → Verify indicates “Certificate Present: Yes”.
  5. Security → Access → HTTPS → HTTPS Configuration → Set “HTTPS Admin Mode” to “Enable”, Apply.

Now you should have working HTTPS with your CA-signed cert.

Andrew Marshall
  • 414
  • 4
  • 13
  • For reference, a self-signed certificate can be installed by uploading just `switch-combined.pem` and `dhparams.pem`. The `switch-combined.pem` file can be used for both the "Trusted Root" and the "Server Certificate" (not sure if both are necessary). My system is a GS108Tv2 with firmware 5.4.2.33. – Roger Dueck Nov 04 '19 at 20:11
  • FWIW, this does not work on a GS308T (S350-series) switch. I've tried the above as well as the other answer below. The switch says it takes the certificates and they're present, but upon re-enabling HTTPS access, the switch just generates new self-signed certificates and overwrites my custom ones. I have opened a case w/ Netgear about this, as either there are specific parameters needed for the certificates or there is a bug in the firmware. – Kumba Apr 20 '20 at 01:52
  • Can confirm this works on the GS110TP switch too. You are however limited to 2048-bit RSA keys. (Can't use anything bigger.) – Adambean May 21 '20 at 09:41
2

Do not try to use a 2048 bit DH Strong encryption parameter as it prevented HTTPS Admin Mode from working. The certificate management tab would show that a certificate was present.

However, the GUI interface would give errors about being unable to find some missing functions when attempting to enable HTTPS Admin Mode and while the GUI would show that it was enabled, nothing would listen on the assigned port.

Disabling the HTTPS Admin Mode, deleting the certificates and following the certificate loading sequence above with a 1024-bit DH strong encryption parameter got it to work.

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
Woodogre
  • 21
  • 1
1

The GS308Tv1 with firmware 1.0.0.12 is different again.

  • The "SSL Trusted Root Certificate PEM File" should contain the Server Certificate only.

  • The "SSL Server Certificate PEM File" should contain the Intermediate Certificate (optional) followed by the Server Private Key.

If you repeat the Server Certificate in the second file then it will be duplicated in the TLS connection, which is invalid (but still works for self-signed certificates). The Root Certificate should not be uploaded to the switch.

  • The "SSL DH Weak Encryption Parameter PEM File" expects 512 bits.
  • The "SSL DH Strong Encryption Parameter PEM File" expects 1024 bits.

This switch supports TLSv1.2 and will accept a 4096-bit RSA key as well as the SHA512 signature algorithm (it's just running Linux/OpenSSL/Lighttpd).

I recommend using a 2048-bit RSA key (the same as the automatically generated self-signed certificate) because 4096-bit RSA is 3 times slower to connect and may degrade the performance of the switch.

Simon
  • 11
  • 3
0

I've messed around with the installation on a GS108Tv2 with firmware version V7.0.9.5. What a nightmare!

The instructions at the top didn't worked for me. But after a lot of try-and-error I finaly got it run!

As described you need the CA, Intermediate (if existing) and the server certificate as well as the key in PEM (Base64) format.

Copy the certificates into a single file. It seems that the order of the certificates is important (top=server, middle=intermediate, bottom=CA)

  • Windows CMD: type Server.pem Intermediate.pem CA.pem > CertChain.pem

Now upload the CertChain.pem as “SSL Trusted Root Certificate PEM File”, and the file with the server certificae key only as “SSL Server Certificate PEM File”. Also upload the DH Parameters based on the RSA key size of the server certificate.

JasMan
  • 1
0

As of firmware version 6.3.1.43 on the GS724Tv4, uploading the “SSL DH Strong Encryption Parameter PEM File” no longer seems to be necessary because the switch just generates them automatically. You only need the “SSL Trusted Root Certificate PEM File” and the “SSL Server Certificate PEM File”.

One thing to note, however, is that the certificate's private key must be RSA - it does not work with an EC private key.

0

I ran into an issue with the ProSAFE M4300 switches that caused Andrew Marshall's steps to not work.

The "Trusted Root" cert should only be the Root CA's cert and not include the intermediary. The "Server cert file" should contain the key, the server's cert, and then any intermediaries (excluding the root). Following the original solution as posted resulted in SSL protocol errors.

All other steps remained the same otherwise.