×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Please improve OpenSSL compatibility for SSL

Unanswered Question
May 3rd, 2014
User Badges:

It would be nice if CSRs generated through the web interface were compliant with OpenSSL.

 

The problem is that CSRs can not be parsed by OpenSSL the way that they are shown in the HTML page:

openssl req -in csr.txt -noout -text says:

unable to load X509 request

139838211532448:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:805:

 

The reason for this is simple: OpenSSL expects the CSR to be wrapped after 64 characters but the SG300 generates them in a single line. Manually rewrapping the CSR allowed me to process the CSR in OpenSSL – but that's a fact that took about 8h to figure out...

 

Also: I was not able to import a public/private key combination that was generated through OpenSSL. One of the reasons is that the SG300 expects the banner for the public key to be BEGIN RSA PUBLIC KEY whereas OpenSSL seems to use BEGIN PUBLIC KEY. Even after fixing the header, all I managed to get was Failed to load public key. Finally, I gave up trying and used the CSR way to install the certificate. It would be great if the SSL handling were a little smoother. Thanks!

 

Firmware version is 1.3.7.18

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
chrebert Mon, 05/05/2014 - 03:41
User Badges:
  • Silver, 250 points or more

Hello Dirk,

Your best bet for something like this would be to give us a call and ask to open a support case.  Give the technician a link to this post and ask for an escalation for a feature request/bug.  I can't guarantee what will be done about it, it may be working as intended, but I can get it to the right people.

Cisco Small Business Support Center Contact Numbers

Thank you for choosing Cisco,

Christopher Ebert - Network Support Engineer

Cisco Small Business Support Center

Dirk Dittert Wed, 05/14/2014 - 03:45
User Badges:

I'm sorry, I can't do that. I just got a nice strong kick in the butt for spending some extra time trying to help Cisco improve its products:

from Prem Baburaj to All Participants:
I am afraid that the remote tech warranty and online chat support warranty is expired on the device.
from Prem Baburaj to All Participants:
Without this support I am unable to escalate the case for new feature request

To import public/private key combination that was generated through OpenSSL, you need to transform them a little bit.

1) extract public key using the following command :

openssl rsa -in cert.pem -RSAPublicKey_out -out rsapubkey.pem

   it will generate a banner using BEGIN RSA PUBLIC KEY

2) from Hex Editor, using RSA Public Key PEM file :
    remove all 0a character BUT
    ○ The one just after -----BEGIN RSA PUBLIC KEY-----
    ○ The one just before -----END RSA PUBLIC KEY-----
    (remove last 0a character too)

3) extract PlainText RSA Private Key from PEM file using the following command :

openssl rsa -in cert.pem -out rsakey.pem

    it will generate a banner using BEGIN RSA PRIVATE KEY

4) from Hex Editor, using RSA Plain Text Private Key PEM file :
    remove all 0a character BUT
     ○ The one just after -----BEGIN RSA PRIVATE KEY-----
     ○ The one just before -----END RSA PRIVATE KEY-----
    (remove last 0a character too)

5) Just copy/paste updated content files to the cisco web interface

for certificate itself, from Hex Editor, using PEM file :
 - Remove all before -----BEGIN CERTIFICATE-----
 - Remove all after  -----END CERTIFICATE-----
(remove last 0a character too, but keep all 0a character between the 2 previous tag. There are 1 every 64 characters)

After all this stuff, it should work ! (it worked for me)

Actions

This Discussion