Monthly Archives: March 2014

Setup HTTPS SSL access on a Netgear GS724T switch

UPDATE: I was only able to get this to work with a dh512 key on some switches.

I want to be able to manage my switches remotely, and login to them using SSL for security.

Note: A lot of this OpenSSL info was gleaned from here. A lot of this TFTP info was gleaned from here.

We need to generate a key and self-signed certificate, and then we need to serve up those two files with a tftp server so the switch can download them.

Generate the key/cert:

  • openssl genrsa -out privkey.pem 1024
  • openssl req -new -x509 -key privkey.pem -out certificate.pem -days 3650 ## be sure to make your "Common Name" equal the name (hostname, fqdn) of your switch.
  • cat privkey.pem >> certificate.pem
  • openssl dhparam -out dh1024.pem 1024 # or 512

Create and run TFTP server on Ubuntu:

  • sudo apt-get update && sudo apt-get install tftp tftpd xinetd
  • Create a file here: /etc/xinetd.d/tftp with this content:
  • service tftp
    protocol        = udp
    port            = 69
    socket_type     = dgram
    wait            = yes
    user            = nobody
    server          = /usr/sbin/in.tftpd
    server_args     = /tftpboot
    disable         = no
  • Restart xinetd with :
  • sudo /etc/init.d/xinetd restart
  • We’ll serve files out of a root dir called /tftpboot/, so mkdir and chown/chmod it:
  • sudo mkdir /tftpboot
    sudo chmod -R 777 /tftpboot
    sudo chown -R nobody /tftpboot
  • Move your certificate.pem and dh1024.pem files into that that dir with:
  • mv dh1024.pem /tftpboot/ && mv certificate.pem /tftpboot/

Download the files into your switch:

  • In your switches HTTP interface, head to:
  • Security -> HTTPS -> Certificate Download ->
  • Put in the IP of your Ubuntu TFTP server, and the name of the file to download.
  • Upload certificate.pem as your “SSL Server certificate PEM file”,
  • Upload dh1024.pem as your “SSL DH Strong Encryption parameter PEM file”.

Now enable HTTPS on your switch and reboot and enjoy!

After you’re done with your TFTP server, you probably want to edit /etc/xinetd.d/tftp and change “disable = no” to “disable = yes” and then restart xinetd again so you don’t continue to server your keys to anyone.