NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
WC7500 SSL Certificate is hacked!
(This is actually for the WC7500 but the drop-down won't let me select that)
I have a very strange self-signed SSL cert on my wc7500. I cannot replace it, b/c the system wants something that is n...
Well, after all this time, the "solution" is that they have a firmware upgrade (6.5.5.18) that provides a *different* self-signed certificate in response to a TLS request.
You still cannot use PKI.
The documentation for the WC7500 certificate page still says "This page lets you to add certificates to WC7500." (not English)
The documentation for the Password field still says "This is the password for WC7500 Certificates" (certificates don't have passwords)
The documentation for the Controller Key field still says "Enter the Controller Key", etc. (not even slightly helpful)
If you tell it to boot or update "now" it schedules it for some time in the future or past, depending on your current offset from GMT.
This firmware is such a hack on its surface it is impossible to trust that it is appropriate, in terms of security, reliability, or functionality, to use in any professional environment.
No, not elyptical... I'm using Base64 encode; does it only work with HEX?
The cert is generated by a Windows CA, so there is a template, EKU server code, etc. If those are a problem, I'll need a cookbook to do this the non-MS way.
The -----BEGIN RSA PRIVATE KEY----- is just a blob of 2048 bits, so it's not interesting (and I really don't want to publish a private key).
Here is the ASN for the certificate:
and here for the CA:
RaghuHR please some insight - ref. the default WC SSL certificate, and on the (poorly [read: not] documented) requirements to install a user provided certificate generated on a Microsoft PKI.
Hi beezer
We have to clearly understand use case here.
Few questions please:
Why do you need SSL certificate to be changed ?
Are you using internal radius server ?
What are all the certificates that you are trying to install in controller ?
Thanks,
Raghu
Sorry for captunring:
RaghuHR wrote:
We have to clearly understand use case here.
Why do you need SSL certificate to be changed ?
ROFL ... think about it ... why does one install certificates, why does a business maintain an own Microsoft CA, ...?
And confirm, we're in the Business Solutions are of the community, correct?
RaghuHR wrote:
What are all the certificates that you are trying to install in controller ?
Microsoft CA/PKI generated 2k certificates and rood/sub-ordinate CA cert I'd say.
RaghuHR wrote:
We have to clearly understand use case here.
Why do you need SSL certificate to be changed ?
What are all the certificates that you are trying to install in controller ?
May I have some questions, too?
How was this certificate coming ot the customer's controller?
Is this the factory defaut one?
Not sure I should laugh or cry RaghuHR ...
I don't want to appear sarcastic or resentful, but you appear to be asking for a use case for SSL. Is it Netgear policy to obtain justification for use of a feature before explaining how it works?
Because you asked, though:
1) We are at a sub-contracting office, working on systems in which the government specifies standards for infrastructure security. In particular, all switches and hardward with thin client management interfaces MUST NOT supply credentials or configuration in clear text without SSL/TLS. There is explicitly no exception for isolated or locally secured networks. We are permitted to satisfy this requirement by usinge SSL to configure routers and NAS. We do not wish to publish a certificate to all potential clients for this one switch, especially one that is clearly suspicious (would YOU want all your clients to trust DEXTER from Bangalor?).
2) We are not using RADIUS at this time.
3-a) The suspicious certificate for DEXTER from Bangalore CAME ON THE WC7500 OUT OF THE BOX. The WC7500 was purchased new from a reputable wholesaler, so the best case is that it was returned as unopened but was in fact returned used and resold as new, or there is some joker in QA at Netgear.
3-b) As implied in all the above, we want to install a trusted SSL certificate without expicitly trusting it in all potential clients (including clients at sub-contractors who manage our networks). We therefore want to install an SSL that will be trusted by any client that trusts our CA.
Again, apologies for what appears to be a condescending tone here; perhaps you need to re-ask your question so I can give a more pertinent answer... ?
Really???
Yes, I am trying to install both a trusted root cert and an SSL cert, but the REQUIREMENT is only that the units present (and, obviously, have the private key for) an SSL cert. The (anemic, poorly documented) interface MAKES me use all three files. The (wholly inadequate) error messages do not make clear why the ones I am using are unacceptable or what error is occurring.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
