Wired Intelligent Edge (Campus Switching and Routing)

Reply
Occasional Contributor II

Switches management certificate - add subject alternative name?

Hi,

Got a few different 5412/3810 switches I’m putting in for a customer. I’m just creating the CSRs now so the management session for each switch is signed to the customers CA.

I notice there’s no option to add a SAN (subject alternative name) in the CSR.

Without that Chrome starts moaning, only IE accepts it. But going forward most browsers will want that SAN information in the certificate.

Anyone know how to add this to the CSR?
Occasional Contributor II

Re: Switches management certificate - add subject alternative name?

Yes its annoying that there isn't any option to add a SAN from the switch, that is still true of the latest code released for the 2930F.

Have you tried something like this below?   It maybe a bit long winded but potentially could be done - whilst I've not done it, I'd be interested if you succeed!

https://blog.keyfactor.com/using-an-ea-certificate-to-re-sign-csrs-to-add-correct-san-information

MVP Expert

Re: Switches management certificate - add subject alternative name?

Need to ask the option to Innovate platform !  ( https://innovate.arubanetworks.com/ )




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
MVP Guru

Re: Switches management certificate - add subject alternative name?

If you are pulling in external tools, it may make sense to use an external tool like openssl to generate the keypair and CSR with that tool instead of using the switch.

 

Benefit is that you can probably create the multiple keypairs and CSRs in a single run, instead of needing to generate those on each switch. When you have the certificates signed, you can upload them with the key to the switch. An exception could be if you require the key to be generated and never leave the switch. On the other hand, if you run the process externally, you have a backup of the key material. 

 

It is a matter of personal preference though.

 

For larger deployments, you may have a look if EST (Enrollment over Secure Transport) may be a better way to get certificates on your switches.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: Switches management certificate - add subject alternative name?

Yes, I did start to look at EST, although Microsoft Certificate Authority doesnt support this out of the box by the looks of it, so that could be a pain.

 

However EST seems to be supported now (16.09 on the 2930F at least), I'd be really interested if anyone has managed to get this up and working?

https://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00076262en_us-1.pdf - Chapter 33 of ASG for 16.09

Occasional Contributor II

Re: Switches management certificate - add subject alternative name?

I didn’t think that would work for these switches? The CSR created on the switch needs to be the one which is signed ... I’ve tried creating the CSR in a Windows environment, signing it then importing the CSR and signed cert into the switch - it just moans because the original CSR wasn’t used.

Happy to try OpenSSL if you think it could be different than the above?
MVP Expert

Re: Switches management certificate - add subject alternative name?


@redford1980 wrote:
I didn’t think that would work for these switches? The CSR created on the switch needs to be the one which is signed ... I’ve tried creating the CSR in a Windows environment, signing it then importing the CSR and signed cert into the switch - it just moans because the original CSR wasn’t used.

Happy to try OpenSSL if you think it could be different than the above?

You need also to import private key for the "openssl" CSR...




PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info


PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info


PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)


PowerArubaIAP: Powershell Module to use Aruba Instant AP




ACMP 6.4 / ACMX #107 / ACCP 6.5
Frequent Contributor I

Re: Switches management certificate - add subject alternative name?

I used a Windows CA to sign a switch CSR and just added the SAN fields in the options on the CA without issue.
Occasional Contributor II

Re: Switches management certificate - add subject alternative name?

That’s interesting - how did you add the SAN options to the CSR? The switch didn’t moan that extra fields appeared when it received a signed certificate text?
Highlighted
Frequent Contributor I

Re: Switches management certificate - add subject alternative name?

I generated a CSR on the switch using the identifty profile with all the subject information, including the FQDN of the switch as the CN. I then copied and pasted the CSR into the MS CA and added the SAN fields in the attibutes box as follows:

san:dns=dns.name[&dns=dns.name]

 

Here is more info: https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate

 

I then uploaded the cert to the switch for whatever use I need it for.

 

Make sure your CA is in the trust list for your browser.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: