Setup HTTPS SSL access on a Netgear GS724T switch

UPDATE: I was only able to get this to work with a dh512 key on some switches.

I want to be able to manage my switches remotely, and login to them using SSL for security.

Note: A lot of this OpenSSL info was gleaned from here. A lot of this TFTP info was gleaned from here.

We need to generate a key and self-signed certificate, and then we need to serve up those two files with a tftp server so the switch can download them.

Generate the key/cert:

  • openssl genrsa -out privkey.pem 1024
  • openssl req -new -x509 -key privkey.pem -out certificate.pem -days 3650 ## be sure to make your "Common Name" equal the name (hostname, fqdn) of your switch.
    
  • cat privkey.pem >> certificate.pem
  • openssl dhparam -out dh1024.pem 1024 # or 512

Create and run TFTP server on Ubuntu:

  • sudo apt-get update && sudo apt-get install tftp tftpd xinetd
  • Create a file here: /etc/xinetd.d/tftp with this content:
  • service tftp
    {
    protocol        = udp
    port            = 69
    socket_type     = dgram
    wait            = yes
    user            = nobody
    server          = /usr/sbin/in.tftpd
    server_args     = /tftpboot
    disable         = no
    }
  • Restart xinetd with :
  • sudo /etc/init.d/xinetd restart
  • We’ll serve files out of a root dir called /tftpboot/, so mkdir and chown/chmod it:
  • sudo mkdir /tftpboot
    sudo chmod -R 777 /tftpboot
    sudo chown -R nobody /tftpboot
  • Move your certificate.pem and dh1024.pem files into that that dir with:
  • mv dh1024.pem /tftpboot/ && mv certificate.pem /tftpboot/

Download the files into your switch:

  • In your switches HTTP interface, head to:
  • Security -> HTTPS -> Certificate Download ->
  • Put in the IP of your Ubuntu TFTP server, and the name of the file to download.
  • Upload certificate.pem as your “SSL Server certificate PEM file”,
  • Upload dh1024.pem as your “SSL DH Strong Encryption parameter PEM file”.

Now enable HTTPS on your switch and reboot and enjoy!

After you’re done with your TFTP server, you probably want to edit /etc/xinetd.d/tftp and change “disable = no” to “disable = yes” and then restart xinetd again so you don’t continue to server your keys to anyone.

Advertisements

2 thoughts on “Setup HTTPS SSL access on a Netgear GS724T switch

  1. I spent some time trying to get this setup on my switch. I used a Windows certificate authority Web Server template customized with sha512 2048 bit RSA key and it works just fine.
    I requested the certificate via my management PC (Windows 8.1). Exported the issued certificate and private key then converted the PFX to PEM format. Uploaded it via TFTP as per your instructions. I then exported my root CA key as Base64 encoded .CER format and uploaded it (didn’t balk at the non .PEM format).
    Finally I enabled HTTPS and rebooted as per your instructions. All is well in Chrome and Firefox.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s