Fibre Channel (SAN)

Reply
Occasional Contributor
Posts: 5
Registered: ‎05-16-2012

Import Self Signed Certificate

we have a brocade switch 5100B running 6.4.2.  We would like to replace the SSL certificate with a self signed.

1) Generate the key.

openssl genrsa -aes256 -out PSANFCSW1.key 2048
*** Passprase entered is 1234


2) Sign the CSR

root@Host:/var/tmp/softwares# openssl x509 -req -days 3650 -sha1 -in fcsw.csr -signkey myswitch.key -out myswitch.crt                                                                                                
Signature ok
subject=/C=US/ST=California/L=San Jose/O=Brocade/\OU=Eng/CN=192.1.2.3
Getting Private key
Enter pass phrase for myswitch.key:

When I come to the switch to do the import, I always get the bad format error.


myswitch:admin>
myswitch:admin> seccertutil import -config swcert -enable https -protocol SCP -ipaddr 10.16.224.251 -remotedir /D: -certname myswitch.crt -login apop_wqh
apop_wqh's password:
Bad format certificate. Exiting..
myswitch:admin>

Occasional Contributor
Posts: 19
Registered: ‎04-07-2011

Re: Import Self Signed Certificate

Hi,

I am not sure why you create a key on your host?

I have created a key pair on the switch first and after that I have created the "certificate signing request (CSR) on the switch. Next step was to obtain from CA the certificates which you want to create on your own.

Next step was to import it.

The admin guide will explain the required steps.

I hope this helps,

Andreas

Occasional Contributor
Posts: 5
Registered: ‎05-16-2012

Re: Import Self Signed Certificate

We are using self-signed certificate.  We also noted that we have renamed the crt file to pem file in order to get seccertuil to import it successfully. However we notice as long as we did this the weblinker crash.  If we reboot the switch it will go to single user mode.

I was wondering whether openssl self signed certificate is supported.

New Member
Posts: 1
Registered: ‎05-07-2014

Re: Import Self Signed Certificate

I am having the same problem for some reason. It is only occurring with a 6.4.1 switch I have. According to the admin guide .crt files are acceptable. My other 3 switches accept the .crt files no problem. I generate the key and csr from the switch. Did you ever find a solution for this?
New Contributor
Posts: 3
Registered: ‎02-05-2015

Re: Import Self Signed Certificate

Did you ever figure out how to import your self-signed cert?

 

We are also trying to import a cert where the private key and csr did not originate on the switch. 

Valued Contributor
Posts: 761
Registered: ‎06-11-2010

Re: Import Self Signed Certificate

Hi,

 

What I did to import a self-signed certificate was the following:

 

in order to create a self-generated certificate, you can try the following (root credentials required)

 

SWITCH:root> openssl req -x509 -nodes -days 365 -sha1 -in /etc/fabos/certs/sw0/10.164.60.31.csr -key /etc/fabos/certs/sw0/pvt_key -out 10.164.60.31.pem

 

SWITCH:root> ls -la
total 24
drwxr-xr-x 2 root root 4096 Sep 17 14:25 ./
drwxr-xr-x 3 root root 4096 Sep 17 14:15 ../
-rw-r--r-- 1 root root 1468 Sep 17 14:24 10.164.60.31.pem

 

Once created you have to coppy it to a FTP server and then import it to the switch

 

SWITCH:root> seccertutil import -config swcert -enable https
Select protocol [ftp or scp]: ftp
Enter IP address: 151.12.60.137
Enter remote directory: /
Enter certificate name (must have ".crt" or ".cer" ".pem" or ".psk" suffix):10.164.60.31.pem
Enter Login Name: anonymous
Enter Password:
Success: imported certificate [10.164.60.31.pem].
Certificate file in configuration has been updated.
Secure http has been enabled.

 

SWITCH:root> seccertutil show
ssl private key: Exists
List of certificate files:
10.164.60.31.pem

SWITCH:root>

 

Hope you find it of use,

Felipon

 

New Contributor
Posts: 3
Registered: ‎02-05-2015

Re: Import Self Signed Certificate

I think this woudl work for me, but I'm sorry, excuse my ignorance as I am new to these switches.

 

I do not see the openssl command in Admin mode.  How do I get into Root mode?

 

New Contributor
Posts: 3
Registered: ‎02-05-2015

Re: Import Self Signed Certificate

 

DOH, nevermind, realized I just need to login as root.

 

Next question. 

 

In my case, the entire CERT process is being done on another server.  So the KEY does not exist on the switch and I get an error when running the seccertutil command (even though the key is actually in the same .pem file):

 

unable to load Private Key

9295:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY

WARNING : Invalid switch certificate.

 

So, I manually copied the key over to the switch and named it pvt_key.  Now the seccertutil does work.

 

Is there a way to get the cert AND key using the seccertutil?

 

Bottom line is I am trying to save steps because I have to do this on hundreds of switches and wanted to go ahead and manually copy the cert over at the same time as I am copying the key and then simply start https service.

 

So the question is if I manually copy over the cert and key, how do I start the https service?  In otherwords, exactly what is the seccertutil doing besides importing the cert?

  

Occasional Contributor
Posts: 16
Registered: ‎02-09-2004

Re: Import Self Signed Certificate

I have four Brocade 5100s with v6.4.3h and I tried your steps.

While importing it says failed to import.... but file gets copied into the switch and it shows the file while using "seccertutil show" command.

And it does not enable https.

 

Is there anything that needs to be done before following your steps?

 

New Contributor
Posts: 2
Registered: ‎06-02-2011

Re: Import Self Signed Certificate

Actually, you can do the entire thing on the switch (no need to copy and ftp from a different server). You HAVE to be root to make this work.

1) Generate Key Pairs:
SWITCH:root> seccertutil genkey -keysize 1024
Generating a new key pair will automatically do the following:
1. Delete all existing CSRs.
2. Delete all existing certificates.
3. Reset the certificate filename to none.
4. Disable secure protocols.

Continue (yes, y, no, n): [no] y
Generating new rsa public/private key pair
Done.

 

2) Generate CSR file:

SWITCH:root> seccertutil gencsr
Country Name (2 letter code, eg, US):<country>
State or Province Name (full name, eg, California):<state>
Locality Name (eg, city name):<city>
Organization Name (eg, company name):<companyname>
Organizational Unit Name (eg, department name):<department>
Common Name (Fully qualified Domain Name, or IP address):<IPaddress>
Generating CSR, file name is: <IPaddress>.csr
Done.

 

 

 

3) Generate Self-Signed Cert:

SWITCH:root> openssl req -x509 -nodes -days <days> -sha1 -in /etc/fabos/certs/sw0/<IPaddress>.csr -key /etc/fabos/certs/sw0/pvt_key -out /tmp/<IPaddress>.pem

 

 

    ## This will create the file in the "/tmp" directory on the switch.

 

 

4) Import and enable HTTPS:

SWITCH:root> seccertutil import -config swcert -enable https

Select protocol [ftp or scp]: scp
Enter IP address: localhost
Enter remote directory: /tmp
Enter certificate name (must have ".crt" or ".cer" ".pem" or ".psk" suffix):<IPaddress>.pem
Enter Login Name: root
root@localhost's password:<root's-passwd>
Success: imported certificate [<IPaddress>.pem].
Certificate file in configuration has been updated.
Secure http has been enabled.

 

 

I hope this helps someone out there. It took a long time and many webpages of research to put this together. This shoudl be something Brocade has in there documentation.

 

OBLIGATORY NOTE: This requires the use of the root account. Mistakes while under this account can be catastrophic. Use the above at your own risk. I make no guarantees or promises that what worked for me will work for you. Use your own judgement as to what commands to run in your environment.

 

Good luck and warm wishes,

Robert

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook