NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

beezer's avatar
beezer
Apprentice
Apr 27, 2019
Solved

WC7500 SSL Certificate is hacked!

(This is actually for the WC7500 but the drop-down won't let me select that) I have a very strange self-signed SSL cert on my wc7500. I cannot replace it, b/c the system wants something that is n...
  • beezer's avatar
    beezer
    Oct 16, 2019

    Well, after all this time, the "solution" is that they have a firmware upgrade (6.5.5.18) that provides a *different* self-signed certificate in response to a TLS request.

     

    You still cannot use PKI.

    The documentation for the WC7500 certificate page still says "This page lets you to add certificates to WC7500." (not English)

    The documentation for the Password field still says "This is the password for WC7500 Certificates" (certificates don't have passwords)

    The documentation for the Controller Key field still says "Enter the Controller Key", etc. (not even slightly helpful)

    If you tell it to boot or update "now" it schedules it for some time in the future or past, depending on your current offset from GMT.

     

    This firmware is such a hack on its surface it is impossible to trust that it is appropriate, in terms of security, reliability, or functionality, to use in any professional environment.

beezer's avatar
beezer
Apprentice
Apr 28, 2019

Apparently the graphic doesn't show in my post. If not hacked, at least suspicious and no way I can trust it:

 

E = Support@firetide.com

CN = Dexter

OU = Engineering

O = Firetide Inc.

L = Bangalore

S = Karnataka

C = IN

 

I tried a PEM with just the private key for the Controller Key and it won't validate  (Validation of Controller Key/Cert/CA Cert failed). 

schumaku's avatar
schumaku
Guru - Experienced User
Apr 28, 2019

Stick to 2048 bits, nothing "exotic" like EC and the like, and upload all three.

  • beezer's avatar
    beezer
    Apprentice
    Apr 29, 2019

    No, not elyptical... I'm using Base64 encode; does it only work with HEX?

     

    The cert is generated by a Windows CA, so there is a template, EKU server code, etc. If those are a problem, I'll need a cookbook to do this the non-MS way.

     

    The -----BEGIN RSA PRIVATE KEY----- is just a blob of 2048 bits, so it's not interesting (and I really don't want to publish a private key).

     

    Here is the ASN for the certificate:

     

    and here for the CA:

     

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      Apr 29, 2019

      RaghuHR  please some insight - ref. the default WC SSL certificate, and on the (poorly [read: not] documented) requirements to install a user provided certificate generated on a Microsoft PKI.

      • RaghuHR's avatar
        RaghuHR
        NETGEAR Expert
        May 02, 2019

        Hi beezer 

         

        We have to clearly understand use case here.

        Few questions please:

        Why do you need SSL certificate to be changed ?

        Are you using internal radius server ?

        What are all the certificates that you are trying to install in controller ?

         

        Thanks,

        Raghu

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More