NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

NickyDoes's avatar
NickyDoes
Tutor
Aug 09, 2024
Solved

Failures installing SSL certificate for TLS 1.2 (HTTPS) on M4300-52G-PoE+

Background: M4300-52G-PoE+ v12.0.17.19, B1.0.0.17, current as of this writing.   SSL certificate installation appears to be extremely rigid with insufficient detail in guides and manuals, and insuf...
  • NickyDoes's avatar
    NickyDoes
    Aug 10, 2024

    You can secure the HTTPS interface with signed certificates, though the process is obscure, and even Netgear support may not know how.

    This solution was adapted from shocksolution.com

     

    Step 1: Prepare SSL/TLS Certificate Files

    The M4200/4300 requires two `.pem` files:

    First PEM File

    This file must include, in this order:

    1. The private key.
    2. The server certificate.
    3. Chain or bundle certificates.

    Example:

     

     

    -----BEGIN RSA PRIVATE KEY-----
(the private key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(the server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(chain certificate 1)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(chain certificate 2+, if present)
-----END CERTIFICATE-----

     

     


    Second PEM File:

    This file contains the Certificate Authority’s (CA’s) root certificate. Download it from the CA (e.g., for your pfSense internal CA, download from Certificate > Authorities). For the pfSense cert:

    Step 2: Uploading SSL/TLS Certificates to the Switch

     

    Disable HTTPS

    In the web interface:

    1. Go to Security > Access > HTTPS > HTTPS Configuration
    2. Set Admin Mode to Disable

    Upload via HTTP

    In the web interface:

    1. Go to Maintenance > Upgrade > HTTP File Upgrade
    2. Select FIle Type "SSL Server Certificate PEM File"
    3. Browse to the first PEM file created in Step 1.
    4. Click Apply.
    5. Select File Type "SSL Trusted Root Certificate PEM File"
    6. Browse to the second PEM file created in Step 1.
    7. Click Apply.

    Note: Uploading via TFTP follows a parallel procedure.

     

    Step 3: Configure for Secure HTTPS Access

    In the web interface:

    1. Go to Security > Access > HTTPS > Certificate Management.
      If Step 2 was successful, Certificate Present should show Yes
    2. Go to Security > Access > HTTPS > HTTPS Configuration.
    3. Enable Admin Mode
    4. Verify the HTTPS Port (the default port for HTTPS is 443).
    5. Click Apply.

    Test the certificate installation by browsing to the web interface using HTTPS://.

    After you are sure HTTPS is working correctly, optionally disable HTTP access.

    Troubleshooting

    Note: You may need to upload DH (also called Diffie-Hellman) parameters. NETGEAR supports 1024-bit and 2048-bit DH parameter files.

NickyDoes's avatar
NickyDoes
Tutor
Aug 09, 2024

Note that the Activate Certificate radio button described in the manual is not present under "Security | Access | HTTPS | Certificate Management.

 

This is true whether HTTPS is ACTIVE or INACTIVE.

NickyDoes's avatar
NickyDoes
Tutor
Aug 10, 2024

You can secure the HTTPS interface with signed certificates, though the process is obscure, and even Netgear support may not know how.

This solution was adapted from shocksolution.com

 

Step 1: Prepare SSL/TLS Certificate Files

The M4200/4300 requires two `.pem` files:

First PEM File

This file must include, in this order:

  1. The private key.
  2. The server certificate.
  3. Chain or bundle certificates.

Example:

 

 

-----BEGIN RSA PRIVATE KEY-----
(the private key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(the server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(chain certificate 1)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(chain certificate 2+, if present)
-----END CERTIFICATE-----

 

 


Second PEM File:

This file contains the Certificate Authority’s (CA’s) root certificate. Download it from the CA (e.g., for your pfSense internal CA, download from Certificate > Authorities). For the pfSense cert:

Step 2: Uploading SSL/TLS Certificates to the Switch

 

Disable HTTPS

In the web interface:

  1. Go to Security > Access > HTTPS > HTTPS Configuration
  2. Set Admin Mode to Disable

Upload via HTTP

In the web interface:

  1. Go to Maintenance > Upgrade > HTTP File Upgrade
  2. Select FIle Type "SSL Server Certificate PEM File"
  3. Browse to the first PEM file created in Step 1.
  4. Click Apply.
  5. Select File Type "SSL Trusted Root Certificate PEM File"
  6. Browse to the second PEM file created in Step 1.
  7. Click Apply.

Note: Uploading via TFTP follows a parallel procedure.

 

Step 3: Configure for Secure HTTPS Access

In the web interface:

  1. Go to Security > Access > HTTPS > Certificate Management.
    If Step 2 was successful, Certificate Present should show Yes
  2. Go to Security > Access > HTTPS > HTTPS Configuration.
  3. Enable Admin Mode
  4. Verify the HTTPS Port (the default port for HTTPS is 443).
  5. Click Apply.

Test the certificate installation by browsing to the web interface using HTTPS://.

After you are sure HTTPS is working correctly, optionally disable HTTP access.

Troubleshooting

Note: You may need to upload DH (also called Diffie-Hellman) parameters. NETGEAR supports 1024-bit and 2048-bit DH parameter files.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More