NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

beezer's avatar
beezer
Apprentice
Apr 27, 2019
Solved

WC7500 SSL Certificate is hacked!

(This is actually for the WC7500 but the drop-down won't let me select that) I have a very strange self-signed SSL cert on my wc7500. I cannot replace it, b/c the system wants something that is n...
  • beezer's avatar
    beezer
    Oct 16, 2019

    Well, after all this time, the "solution" is that they have a firmware upgrade (6.5.5.18) that provides a *different* self-signed certificate in response to a TLS request.

     

    You still cannot use PKI.

    The documentation for the WC7500 certificate page still says "This page lets you to add certificates to WC7500." (not English)

    The documentation for the Password field still says "This is the password for WC7500 Certificates" (certificates don't have passwords)

    The documentation for the Controller Key field still says "Enter the Controller Key", etc. (not even slightly helpful)

    If you tell it to boot or update "now" it schedules it for some time in the future or past, depending on your current offset from GMT.

     

    This firmware is such a hack on its surface it is impossible to trust that it is appropriate, in terms of security, reliability, or functionality, to use in any professional environment.

schumaku's avatar
schumaku
Guru - Experienced User
Apr 27, 2019

Why hacked? All WC are coming form the factory with a self-signed certificate, which is suggested to be replaced. Provide details ...

 

Wireless Controller User Manual Models WC7500, WC7600, WC7600v2, and WC9500 p.114 ff., Manage Certificates

 

Controller Key is most likely) the private key.

Controller Certificate is a certificate without the private key and without an unlock password.

  • beezer's avatar
    beezer
    Apprentice
    Apr 28, 2019

    Apparently the graphic doesn't show in my post. If not hacked, at least suspicious and no way I can trust it:

     

    E = Support@firetide.com

    CN = Dexter

    OU = Engineering

    O = Firetide Inc.

    L = Bangalore

    S = Karnataka

    C = IN

     

    I tried a PEM with just the private key for the Controller Key and it won't validate  (Validation of Controller Key/Cert/CA Cert failed). 

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      Apr 28, 2019

      Stick to 2048 bits, nothing "exotic" like EC and the like, and upload all three.

      • beezer's avatar
        beezer
        Apprentice
        Apr 29, 2019

        No, not elyptical... I'm using Base64 encode; does it only work with HEX?

         

        The cert is generated by a Windows CA, so there is a template, EKU server code, etc. If those are a problem, I'll need a cookbook to do this the non-MS way.

         

        The -----BEGIN RSA PRIVATE KEY----- is just a blob of 2048 bits, so it's not interesting (and I really don't want to publish a private key).

         

        Here is the ASN for the certificate:

         

        and here for the CA:

         

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More