Netgate SG-1000 microFirewall

Author Topic: Certificate manager and generating public keys  (Read 443 times)

0 Members and 1 Guest are viewing this topic.

Offline stats2909

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Certificate manager and generating public keys
« on: December 28, 2017, 08:54:35 am »
Hi,

Not very experienced here, and definitely not a linux/command line pro!

I'm trying to produce certificates for my Netgear GS728TP switch.  I've done it for a few other things but this time I'm stumped!

I've produced the cert on pfsense as usual, and have the private key, the pk12 and the cert... but no public key and the switch wants the private and public keys as well as the certificate pasting in.

How do I create a public key!?!? 

Thanks in advance

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10260
  • Karma: +1177/-313
    • View Profile
Re: Certificate manager and generating public keys
« Reply #1 on: December 28, 2017, 12:00:58 pm »
They are probably talking about the private key and the certificate.

What is the certificate on the switch for? An https web interface?

(pfSense is based on FreeBSD not Linux.)
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline stats2909

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Certificate manager and generating public keys
« Reply #2 on: December 28, 2017, 12:05:33 pm »
thanks for the reply....

.... I thought this too as thats all I've ever used in the past.  I've attached the screen shot where they want it all.  I've tried missing the public key out and the interface says it needs them both.

I've got the cert, the private rsa key (and a public.pem key) but i cant for the life of me figure out how to get the public rsa key!

yes its for an https web interface on a Netgear GS728TP

:)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10260
  • Karma: +1177/-313
    • View Profile
Re: Certificate manager and generating public keys
« Reply #3 on: December 28, 2017, 12:17:34 pm »
Honestly I have no idea what they are asking for there.

Generally the three fields are for:

Private Key
Certificate
Intermediate CA (if any)
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline stats2909

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Certificate manager and generating public keys
« Reply #4 on: December 28, 2017, 12:19:00 pm »
Agreed...  I've been tearing my hair out all day trying to work it out!

Netgear seem to be really bad at the SSL side of things!

 :-[

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10260
  • Karma: +1177/-313
    • View Profile
Re: Certificate manager and generating public keys
« Reply #5 on: December 28, 2017, 12:25:45 pm »
There is probably a way to make openssl extract that. Give me a bit.

It's pretty stupid that they make you do that (I've never seen any other device on the planet ask for that for a web server certificate) but... it's netgear so that pretty much explains away any crappiness you might find.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline stats2909

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Certificate manager and generating public keys
« Reply #6 on: December 28, 2017, 12:28:38 pm »
Really appreciate the help.  They always seem to have some foible that makes these simple things really awkward! 

If it helps I'm running pfsense to generate certificates.

(any recommendations for switches that are similarly priced and spec'd?)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10260
  • Karma: +1177/-313
    • View Profile
Re: Certificate manager and generating public keys
« Reply #7 on: December 28, 2017, 12:38:03 pm »
Try this:

Diagnostics > Edit File

Put /tmp/switch.key in the path and paste the private key in the main text window, with the begin and end lines included, and save.

Then Diagnostics > Command Prompt

Execute this shell command:

openssl rsa -in /tmp/switch.key -RSAPublicKey_out

Try using that output (don't copy that first "writing" line) in the public key field along with the cert and private key.

If it doesn't like that try the output from:

openssl rsa -in /tmp/switch.key -pubout

If that doesn't work I'm out of ammo and you might consider either calling netgear or trying their forum
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline stats2909

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Certificate manager and generating public keys
« Reply #8 on: December 28, 2017, 12:57:25 pm »
well its getting further than before!

but its now saying "inconsistent value" what ever that means!

What I've done is:

1. used the .crt file as supplied by pfsense
2. used the .key private key file as you directed to give the RSA public key
3. generated the rsa private key file for the netgear web gui by using the following:openssl rsa -in ssl.key -out ssl.key

I've a feeling stage 3 could be the place is going wrong!

How should I be getting the RSA private key from the pfsense files?


Thanks you so much btw - I've asked in netgear forums too :)

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15753
  • Karma: +1472/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Certificate manager and generating public keys
« Reply #9 on: December 28, 2017, 01:06:50 pm »
I ran into a sim problem with the sg300 switch.. Public key is normally part of the cert.. That they want it on its own is pretty much nonsense.. Just create a csr and have your cert manager sign it.. You can add whatever SAN you want to add when you sign it with the cert manager..

See this thread about using cert manager and other devices.
https://forum.pfsense.org/index.php?topic=141496.0
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10260
  • Karma: +1177/-313
    • View Profile
Re: Certificate manager and generating public keys
« Reply #10 on: December 28, 2017, 01:10:11 pm »
Click the export key button on the certificate in the Certificate Manager. Use that as /tmp/switch.key.

You have to derive the public key from the same private key that generated the modulus that was signed in the certificate. That is also what gets pasted into the switch private key field.

Given that the exported format there is PRIVATE KEY not RSA PRIVATE KEY I would try -pubout first then -RSAPublicKey_out if that does not work.

Yeah, John, since the public key can be derived from the private key, making the user jump through this hoop is asinine.

Only increases my disdain for Netgear and every product they make. I despise the brand in its entirety.

Yeah - or generate a CSR and sign that.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15753
  • Karma: +1472/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Certificate manager and generating public keys
« Reply #11 on: December 28, 2017, 01:23:59 pm »
Its worse than that Derelict the public key is actually part of the CERT.. There is no reason at all to post it on its own..

openssl x509 -pubkey -noout -in cert.pem  > pubkey.pem

So really have no idea why they go through such nonsense..  There is no need to post the public key extra.. All that is need for the server to be able to use that cert is the cert file and the key file..  And the CA that they can hand out in the chain, etc.

I went through a bunch of nonsense in the latest beta of the sg300 firmware wanting specific format and key length issues, etc..  Just create the CSR on the switch, it was listed there in his screen shot.  Sign it and add whatever SAN you want.  Since pretty sure their csr will be very limited and only have CN.. When most browsers these days will balk unless there is a SAN matching the CN as well, etc.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline stats2909

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Certificate manager and generating public keys
« Reply #12 on: December 28, 2017, 01:35:19 pm »
what a loathesome piece of equipment....  I've done everything right to import the certificates, all fresh from the psfsene files and its still saying "incostistent value"  what ever that means!


I'll try the signing root now and see if I have any more luck! 

thanks both :)

Offline stats2909

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Certificate manager and generating public keys
« Reply #13 on: December 28, 2017, 01:44:16 pm »
ok - sorry for my ignorance here... its really starting to show!

I created the CSR, went back into pfsense and signed it with my intermedite CA.  I didnt add any key info as I figured the Int. CA would have this itself.

Thats now done and sitting in Pfsense.

Going back to the switch what do I change?  its still saying its using no certificates?  see image....


I'm utterly lost with the stupid thing! 

Offline stats2909

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
Re: Certificate manager and generating public keys
« Reply #14 on: December 28, 2017, 01:48:01 pm »
I take that back!


The browser (Chrome) is still showing the red 'Not Secure' warning.

but clicking into the certificate it is valid with a green tick :)

Why would the browser not be green?  Other servers Ive got running are !

So odd!