NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Failures installing SSL certificate for TLS 1.2 (HTTPS) on M4300-52G-PoE+
Background: M4300-52G-PoE+ v12.0.17.19, B1.0.0.17, current as of this writing.
SSL certificate installation appears to be extremely rigid with insufficient detail in guides and manuals, and insufficient failure feedback.
Steps to reproduce:
1. Disable HTTPS ((Security | Access | HTTPS | HTTPS Configuration). Apply.
2. Delete existing certificate (Security | Access | HTTPS | Certificate Management): Delete Certificates. Apply.
The following steps are performed from Maintenance | Upgrade | HTTP File Upgrade.
3. Upload the trusted root certificate chain for the certificate authority (CA) in PEM format. (Trusted Root certificate PEM File)
4. Upload the server certificate issued by the CA in PEM format. (Server Certificate PEM File)
5. Upload the 2048 bit DH parameters. (2048-bit Encryption Parameter PEM File)
- Observe that all were accepted by the HTTP UPGRADE process (this is not 'upgrade'. It's an upload).
6. Verify a certificate has been installed (Security | Access | HTTPS | Certificate Management): "Certificate Present: Yes"
7. Enable HTTPS (inverse of step 1).
8. Visit the secure admin web interface from a clean browser profile (https://<switch name as configured in certificate>:443)
- Observe that the certificate is not trusted.
- Explore the cert details. Observe the cert issuer is NETGEAR, and not the local CA referenced in Step 3.
Why is this so difficult for NETGEAR to simplify, document, and get right?
You can secure the HTTPS interface with signed certificates, though the process is obscure, and even Netgear support may not know how.
This solution was adapted from shocksolution.com
Step 1: Prepare SSL/TLS Certificate Files
The M4200/4300 requires two `.pem` files:
First PEM File
This file must include, in this order:
- The private key.
- The server certificate.
- Chain or bundle certificates.
Example:
-----BEGIN RSA PRIVATE KEY----- (the private key) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (the server certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (chain certificate 1) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (chain certificate 2+, if present) -----END CERTIFICATE-----
Second PEM File:This file contains the Certificate Authority’s (CA’s) root certificate. Download it from the CA (e.g., for your pfSense internal CA, download from Certificate > Authorities). For the pfSense cert:
Step 2: Uploading SSL/TLS Certificates to the Switch
Disable HTTPS
In the web interface:
- Go to Security > Access > HTTPS > HTTPS Configuration
- Set Admin Mode to Disable
Upload via HTTP
In the web interface:
- Go to Maintenance > Upgrade > HTTP File Upgrade
- Select FIle Type "SSL Server Certificate PEM File"
- Browse to the first PEM file created in Step 1.
- Click Apply.
- Select File Type "SSL Trusted Root Certificate PEM File"
- Browse to the second PEM file created in Step 1.
- Click Apply.
Note: Uploading via TFTP follows a parallel procedure.
Step 3: Configure for Secure HTTPS Access
In the web interface:
- Go to Security > Access > HTTPS > Certificate Management.
If Step 2 was successful, Certificate Present should show Yes - Go to Security > Access > HTTPS > HTTPS Configuration.
- Enable Admin Mode
- Verify the HTTPS Port (the default port for HTTPS is 443).
- Click Apply.
Test the certificate installation by browsing to the web interface using HTTPS://.
After you are sure HTTPS is working correctly, optionally disable HTTP access.
Troubleshooting
Note: You may need to upload DH (also called Diffie-Hellman) parameters. NETGEAR supports 1024-bit and 2048-bit DH parameter files.
2 Replies
Note that the Activate Certificate radio button described in the manual is not present under "Security | Access | HTTPS | Certificate Management.
This is true whether HTTPS is ACTIVE or INACTIVE.
You can secure the HTTPS interface with signed certificates, though the process is obscure, and even Netgear support may not know how.
This solution was adapted from shocksolution.com
Step 1: Prepare SSL/TLS Certificate Files
The M4200/4300 requires two `.pem` files:
First PEM File
This file must include, in this order:
- The private key.
- The server certificate.
- Chain or bundle certificates.
Example:
-----BEGIN RSA PRIVATE KEY----- (the private key) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (the server certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (chain certificate 1) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (chain certificate 2+, if present) -----END CERTIFICATE-----
Second PEM File:This file contains the Certificate Authority’s (CA’s) root certificate. Download it from the CA (e.g., for your pfSense internal CA, download from Certificate > Authorities). For the pfSense cert:
Step 2: Uploading SSL/TLS Certificates to the Switch
Disable HTTPS
In the web interface:
- Go to Security > Access > HTTPS > HTTPS Configuration
- Set Admin Mode to Disable
Upload via HTTP
In the web interface:
- Go to Maintenance > Upgrade > HTTP File Upgrade
- Select FIle Type "SSL Server Certificate PEM File"
- Browse to the first PEM file created in Step 1.
- Click Apply.
- Select File Type "SSL Trusted Root Certificate PEM File"
- Browse to the second PEM file created in Step 1.
- Click Apply.
Note: Uploading via TFTP follows a parallel procedure.
Step 3: Configure for Secure HTTPS Access
In the web interface:
- Go to Security > Access > HTTPS > Certificate Management.
If Step 2 was successful, Certificate Present should show Yes - Go to Security > Access > HTTPS > HTTPS Configuration.
- Enable Admin Mode
- Verify the HTTPS Port (the default port for HTTPS is 443).
- Click Apply.
Test the certificate installation by browsing to the web interface using HTTPS://.
After you are sure HTTPS is working correctly, optionally disable HTTP access.
Troubleshooting
Note: You may need to upload DH (also called Diffie-Hellman) parameters. NETGEAR supports 1024-bit and 2048-bit DH parameter files.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
