Wired

last person joined: 17 minutes ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Switches management certificate - add subject alternative name?

Jump to Best Answer
  • 1.  Switches management certificate - add subject alternative name?

    Posted Sep 24, 2019 06:41 AM
    Hi,

    Got a few different 5412/3810 switches I’m putting in for a customer. I’m just creating the CSRs now so the management session for each switch is signed to the customers CA.

    I notice there’s no option to add a SAN (subject alternative name) in the CSR.

    Without that Chrome starts moaning, only IE accepts it. But going forward most browsers will want that SAN information in the certificate.

    Anyone know how to add this to the CSR?


  • 2.  RE: Switches management certificate - add subject alternative name?

    Posted Sep 24, 2019 10:58 AM

    Yes its annoying that there isn't any option to add a SAN from the switch, that is still true of the latest code released for the 2930F.

    Have you tried something like this below?   It maybe a bit long winded but potentially could be done - whilst I've not done it, I'd be interested if you succeed!

    https://blog.keyfactor.com/using-an-ea-certificate-to-re-sign-csrs-to-add-correct-san-information



  • 3.  RE: Switches management certificate - add subject alternative name?

    Posted Sep 24, 2019 06:08 PM

    Need to ask the option to Innovate platform !  ( https://innovate.arubanetworks.com/ )



  • 4.  RE: Switches management certificate - add subject alternative name?
    Best Answer

    Posted Sep 25, 2019 03:43 AM

    If you are pulling in external tools, it may make sense to use an external tool like openssl to generate the keypair and CSR with that tool instead of using the switch.

     

    Benefit is that you can probably create the multiple keypairs and CSRs in a single run, instead of needing to generate those on each switch. When you have the certificates signed, you can upload them with the key to the switch. An exception could be if you require the key to be generated and never leave the switch. On the other hand, if you run the process externally, you have a backup of the key material. 

     

    It is a matter of personal preference though.

     

    For larger deployments, you may have a look if EST (Enrollment over Secure Transport) may be a better way to get certificates on your switches.



  • 5.  RE: Switches management certificate - add subject alternative name?

    Posted Sep 25, 2019 03:50 AM

    Yes, I did start to look at EST, although Microsoft Certificate Authority doesnt support this out of the box by the looks of it, so that could be a pain.

     

    However EST seems to be supported now (16.09 on the 2930F at least), I'd be really interested if anyone has managed to get this up and working?

    https://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00076262en_us-1.pdf - Chapter 33 of ASG for 16.09



  • 6.  RE: Switches management certificate - add subject alternative name?

    Posted Sep 25, 2019 04:09 AM
    I didn’t think that would work for these switches? The CSR created on the switch needs to be the one which is signed ... I’ve tried creating the CSR in a Windows environment, signing it then importing the CSR and signed cert into the switch - it just moans because the original CSR wasn’t used.

    Happy to try OpenSSL if you think it could be different than the above?


  • 7.  RE: Switches management certificate - add subject alternative name?

    Posted Sep 25, 2019 04:06 PM

    @redford1980 wrote:
    I didn’t think that would work for these switches? The CSR created on the switch needs to be the one which is signed ... I’ve tried creating the CSR in a Windows environment, signing it then importing the CSR and signed cert into the switch - it just moans because the original CSR wasn’t used.

    Happy to try OpenSSL if you think it could be different than the above?

    You need also to import private key for the "openssl" CSR...



  • 8.  RE: Switches management certificate - add subject alternative name?

    Posted Sep 25, 2019 04:40 PM
    I used a Windows CA to sign a switch CSR and just added the SAN fields in the options on the CA without issue.


  • 9.  RE: Switches management certificate - add subject alternative name?

    Posted Sep 25, 2019 04:50 PM
    That’s interesting - how did you add the SAN options to the CSR? The switch didn’t moan that extra fields appeared when it received a signed certificate text?


  • 10.  RE: Switches management certificate - add subject alternative name?

    Posted Sep 25, 2019 06:28 PM

    I generated a CSR on the switch using the identifty profile with all the subject information, including the FQDN of the switch as the CN. I then copied and pasted the CSR into the MS CA and added the SAN fields in the attibutes box as follows:

    san:dns=dns.name[&dns=dns.name]

     

    Here is more info: https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate

     

    I then uploaded the cert to the switch for whatever use I need it for.

     

    Make sure your CA is in the trust list for your browser.