https://community.extremenetworks.com/t5/extremeswitching-other/install-new-certificate-on-voss-9-2/m-p/118691#M4254 <P>Fabric Engine supports&nbsp;<SPAN>SHA256 for certificates. It's just the CSR are SH1 based. If you generate a CSR you can load it to a computer where openssl is in place and expose the details like this<BR /><STRONG>openssl req -noout -text -in switch-1.csr</STRONG><BR /><BR /></SPAN></P><P><SPAN>The CA sign the certificate and determinate which signing hashing will be used. By default is using OpenSSL&nbsp;sha256WithRSAEncryption. Also here you can expose the details like this<BR /><STRONG>openssl x509 -noout -text -in switch-1.pem</STRONG><BR /></SPAN></P><P>I made a document describing all the certificate related topics on our Fabric Engine (attached).</P> Fri, 09 May 2025 06:23:35 GMT Markus_Nikulski 2025-05-09T06:23:35Z https://community.extremenetworks.com/t5/extremeswitching-other/install-new-certificate-on-voss-9-2/m-p/118688#M4253 <P>I am trying to install a new certificate on a VOSS 9.2 switch and I believe v9.1 onwards supports SHA256. When I use these commands to generate a CSR and sign it with our internal CA using OpenSSL, MS Edge displays an "unsupported certificate format" error, so I assume it's still SHA1.</P><P>Anyone any ideas if SHA256 is indeed supported in VOSS 9.2, or are there other commands ?</P><P>The commands I used are:</P><P>no certificate generate-keypair</P><P>certificate generate-keypair type rsa size 2048</P><P>show certificate key-name</P><P>certificate subject common-name TESTSWITCH<BR />certificate subject e-mail ADMIN@ABC.COM<BR />certificate subject unit IT<BR />certificate subject organization ABC<BR />certificate subject locality GLA<BR />certificate subject country GB<BR />certificate subject province NA<BR />certificate subject-alternative-name dns TESTSWITCH<BR />certificate subject-alternative-name dns TESTSWITCH@ABC.COM</P> Thu, 08 May 2025 07:12:28 GMT https://community.extremenetworks.com/t5/extremeswitching-other/install-new-certificate-on-voss-9-2/m-p/118688#M4253 dabbler 2025-05-08T07:12:28Z https://community.extremenetworks.com/t5/extremeswitching-other/install-new-certificate-on-voss-9-2/m-p/118691#M4254 <P>Fabric Engine supports&nbsp;<SPAN>SHA256 for certificates. It's just the CSR are SH1 based. If you generate a CSR you can load it to a computer where openssl is in place and expose the details like this<BR /><STRONG>openssl req -noout -text -in switch-1.csr</STRONG><BR /><BR /></SPAN></P><P><SPAN>The CA sign the certificate and determinate which signing hashing will be used. By default is using OpenSSL&nbsp;sha256WithRSAEncryption. Also here you can expose the details like this<BR /><STRONG>openssl x509 -noout -text -in switch-1.pem</STRONG><BR /></SPAN></P><P>I made a document describing all the certificate related topics on our Fabric Engine (attached).</P> Fri, 09 May 2025 06:23:35 GMT https://community.extremenetworks.com/t5/extremeswitching-other/install-new-certificate-on-voss-9-2/m-p/118691#M4254 Markus_Nikulski 2025-05-09T06:23:35Z https://community.extremenetworks.com/t5/extremeswitching-other/install-new-certificate-on-voss-9-2/m-p/118694#M4255 <P>Hi Markus,</P><P>Thanks a lot for the docs, I'll try again from scratch and see how it goes, but it looks like I was on the right track. Using Firefox works fine with the certs I generated, it's just MS Edge that displays this error. The cert and CA looks good, I can't see what</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dabbler_0-1746798462029.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/8836i17334B7F6CF81B5A/image-size/medium?v=v2&amp;px=400" role="button" title="dabbler_0-1746798462029.png" alt="dabbler_0-1746798462029.png" /></span></P><P>Maybe going off topic here, but Wireshark displays this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dabbler_1-1746798542467.png" style="width: 400px;"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/8837iC30EE3CA50A5832A/image-size/medium?v=v2&amp;px=400" role="button" title="dabbler_1-1746798542467.png" alt="dabbler_1-1746798542467.png" /></span>The root CA is installed OK, I can't see what the problem is. Our organisation uses MS Edge as standard, so I can't tell them to just use Firefox <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 09 May 2025 13:50:05 GMT https://community.extremenetworks.com/t5/extremeswitching-other/install-new-certificate-on-voss-9-2/m-p/118694#M4255 dabbler 2025-05-09T13:50:05Z https://community.extremenetworks.com/t5/extremeswitching-other/install-new-certificate-on-voss-9-2/m-p/118696#M4256 <P>Please be aware that an MSFT computer has three certificate stores. And Firefox uses the one in addition.</P> Mon, 12 May 2025 06:13:39 GMT https://community.extremenetworks.com/t5/extremeswitching-other/install-new-certificate-on-voss-9-2/m-p/118696#M4256 Markus_Nikulski 2025-05-12T06:13:39Z https://community.extremenetworks.com/t5/extremeswitching-other/install-new-certificate-on-voss-9-2/m-p/118697#M4257 <P>That's right, we do have Microsoft PKI but are not using that just now. We are using an OpenSSL generated root certificate to directly sign the switch certificates. I added the root certificate into the trusted root CA store in Windows under the computer account and also into Firefox's root CA store.<BR />When I double click the switch.crt file on my Windows machine, I can view it and it validates to the root no problem so I don't think it's the validation process, although feel free to correct me on that.</P> Mon, 12 May 2025 07:16:56 GMT https://community.extremenetworks.com/t5/extremeswitching-other/install-new-certificate-on-voss-9-2/m-p/118697#M4257 dabbler 2025-05-12T07:16:56Z