This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Install new certificate on VOSS 9.2

Install new certificate on VOSS 9.2

dabbler
New Contributor III

2 weeks ago - last edited 2 weeks ago

I am trying to install a new certificate on a VOSS 9.2 switch and I believe v9.1 onwards supports SHA256. When I use these commands to generate a CSR and sign it with our internal CA using OpenSSL, MS Edge displays an "unsupported certificate format" error, so I assume it's still SHA1.

Anyone any ideas if SHA256 is indeed supported in VOSS 9.2, or are there other commands ?

The commands I used are:

no certificate generate-keypair

certificate generate-keypair type rsa size 2048

show certificate key-name

certificate subject common-name TESTSWITCH
certificate subject e-mail ADMIN@ABC.COM
certificate subject unit IT
certificate subject organization ABC
certificate subject locality GLA
certificate subject country GB
certificate subject province NA
certificate subject-alternative-name dns TESTSWITCH
certificate subject-alternative-name dns TESTSWITCH@ABC.COM

0 Kudos
4 REPLIES 4

Markus_Nikulski
Extreme Employee

2 weeks ago

Fabric Engine supports SHA256 for certificates. It's just the CSR are SH1 based. If you generate a CSR you can load it to a computer where openssl is in place and expose the details like this
openssl req -noout -text -in switch-1.csr

The CA sign the certificate and determinate which signing hashing will be used. By default is using OpenSSL sha256WithRSAEncryption. Also here you can expose the details like this
openssl x509 -noout -text -in switch-1.pem

I made a document describing all the certificate related topics on our Fabric Engine (attached).

Preview file
2300 KB
Preview file
3102 KB

dabbler
New Contributor III
In response to Markus_Nikulski

2 weeks ago

Hi Markus,

Thanks a lot for the docs, I'll try again from scratch and see how it goes, but it looks like I was on the right track. Using Firefox works fine with the certs I generated, it's just MS Edge that displays this error. The cert and CA looks good, I can't see what

dabbler_0-1746798462029.png

Maybe going off topic here, but Wireshark displays this:

dabbler_1-1746798542467.pngThe root CA is installed OK, I can't see what the problem is. Our organisation uses MS Edge as standard, so I can't tell them to just use Firefox 🙂

 

 

0 Kudos

Markus_Nikulski
Extreme Employee
In response to dabbler

2 weeks ago

Please be aware that an MSFT computer has three certificate stores. And Firefox uses the one in addition.

0 Kudos

dabbler
New Contributor III
In response to Markus_Nikulski

2 weeks ago

That's right, we do have Microsoft PKI but are not using that just now. We are using an OpenSSL generated root certificate to directly sign the switch certificates. I added the root certificate into the trusted root CA store in Windows under the computer account and also into Firefox's root CA store.
When I double click the switch.crt file on my Windows machine, I can view it and it validates to the root no problem so I don't think it's the validation process, although feel free to correct me on that.

0 Kudos
GTM-P2G8KFN