Wired Intelligent Edge

Hi,

Got a few different 5412/3810 switches I’m putting in for a customer. I’m just creating the CSRs now so the management session for each switch is signed to the customers CA.

I notice there’s no option to add a SAN (subject alternative name) in the CSR.

Without that Chrome starts moaning, only IE accepts it. But going forward most browsers will want that SAN information in the certificate.

Anyone know how to add this to the CSR?

Yes its annoying that there isn't any option to add a SAN from the switch, that is still true of the latest code released for the 2930F.

Have you tried something like this below?   It maybe a bit long winded but potentially could be done - whilst I've not done it, I'd be interested if you succeed!

https://blog.keyfactor.com/using-an-ea-certificate-to-re-sign-csrs-to-add-correct-san-information

Need to ask the option to Innovate platform !  ( https://innovate.arubanetworks.com/ )

If you are pulling in external tools, it may make sense to use an external tool like openssl to generate the keypair and CSR with that tool instead of using the switch.

 

Benefit is that you can probably create the multiple keypairs and CSRs in a single run, instead of needing to generate those on each switch. When you have the certificates signed, you can upload them with the key to the switch. An exception could be if you require the key to be generated and never leave the switch. On the other hand, if you run the process externally, you have a backup of the key material. 

 

It is a matter of personal preference though.

 

For larger deployments, you may have a look if EST (Enrollment over Secure Transport) may be a better way to get certificates on your switches.

Yes, I did start to look at EST, although Microsoft Certificate Authority doesnt support this out of the box by the looks of it, so that could be a pain.

 

However EST seems to be supported now (16.09 on the 2930F at least), I'd be really interested if anyone has managed to get this up and working?

https://h20628.www2.hp.com/km-ext/kmcsdirect/emr_na-a00076262en_us-1.pdf - Chapter 33 of ASG for 16.09

I didn’t think that would work for these switches? The CSR created on the switch needs to be the one which is signed ... I’ve tried creating the CSR in a Windows environment, signing it then importing the CSR and signed cert into the switch - it just moans because the original CSR wasn’t used.

Happy to try OpenSSL if you think it could be different than the above?

---

@redford1980 wrote:
I didn’t think that would work for these switches? The CSR created on the switch needs to be the one which is signed ... I’ve tried creating the CSR in a Windows environment, signing it then importing the CSR and signed cert into the switch - it just moans because the original CSR wasn’t used.

Happy to try OpenSSL if you think it could be different than the above?

---

You need also to import private key for the "openssl" CSR...

I used a Windows CA to sign a switch CSR and just added the SAN fields in the options on the CA without issue.

That’s interesting - how did you add the SAN options to the CSR? The switch didn’t moan that extra fields appeared when it received a signed certificate text?

I generated a CSR on the switch using the identifty profile with all the subject information, including the FQDN of the switch as the CN. I then copied and pasted the CSR into the MS CA and added the SAN fields in the attibutes box as follows:

san:dns=dns.name[&dns=dns.name]

 

Here is more info: https://support.microsoft.com/en-us/help/931351/how-to-add-a-subject-alternative-name-to-a-secure-ldap-certificate

 

I then uploaded the cert to the switch for whatever use I need it for.

 

Make sure your CA is in the trust list for your browser.