- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Why can't I upload CRLs to the FVS336Gv3?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why can't I upload CRLs to the FVS336Gv3?
I have the following CRL:
-----BEGIN X509 CRL----- MIIByDCBsQIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJVUzELMAkGA1UE CAwCVE4xDjAMBgNVBAoMBXBMQU45MREwDwYDVQQLDAhwTEFOOSBDQTERMA8GA1UE AwwIcExBTjkgQ0ExHTAbBgkqhkiG9w0BCQEWDmFkbWluQHBMQU45LmNvFw0xNjAz MjUwOTMwMjFaFw0xNjA0MjQwOTMwMjFaoA4wDDAKBgNVHRQEAwIBBDANBgkqhkiG 9w0BAQUFAAOCAQEAIMvMc6WJFKnPR8xP7a8GDdsNceQcQDQsXq5zbbWfy2GYoTKH 2WZn5aEJpA09f902kphkM1x/VpaFpZkawxtkhXP4ZL+S2ULgGLxzrUxvOhjZlHmm 7xjMWOjxArXV1ZimK4SzWWvTxdtCrfNJo71F2wJOwbv4YKLIYA2BnUV1J6a+Eb0u GaenFWdZJufEcZbDtC2XMhDrE+6ZVDKN7UXYt/K4uke9+Pg3CR5XtgTg2FEhLOqb pPW5/qkKw0fek8ojejWhOgISYHBT/kJvYP+1C4cwaIcf3RIVNwEFez9ME8WQrBoJ ZwiAjEvqeekrkD8obGgoOh3MI24eItnjdBMQ4Q== -----END X509 CRL-----
I am trying to upload it to the FVS336G. I am getting the following error page:
As is plain to see, this CRL is a SHA1 CRL. I have tried uploading it in both PEM and DER formats. It uploads fine on every other device, and I have tried to upload numerous CRLs that are included with Windows 7 in the certificate store, and all of them produce the same error.
So is the device just not capable of this? It is apparently necessary, since all attempts to connect 2 FVS336Gv3 units together in certificate-based site-to-site configuration fail, with the logs reporting that a CRL cannot be found.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Why can't I upload CRLs to the FVS336Gv3?
Firmware is latest version, multiple factory resets tried
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Why can't I upload CRLs to the FVS336Gv3?
You need to combine the root and intermediate certificates and save them as one file (reverse order) , but do not include your CSR.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Why can't I upload CRLs to the FVS336Gv3?
This is a self-signed CA, with no intermediate. So I assume just the root CA cert and the CRL should be in one file, and uploaded that way?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Why can't I upload CRLs to the FVS336Gv3?
Nevermind; that still doesn't work. I get the same error page. Here is the updated CRL:
-----BEGIN X509 CRL----- MIIBQDCBqgIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzELMAkGA1UE CAwCVE4xDjAMBgNVBAoMBXBMQU45MQwwCgYDVQQLDANGVlMxDzANBgNVBAMMBkZW UyBDQTEdMBsGCSqGSIb3DQEJARYOYWRtaW5AcExBTjkuY28XDTE2MTEyNzAyMjEz N1oXDTE3MTEyNzAyMjEzN1qgDjAMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUA A4GBAGYDbT4A4UVDF1K0eEwelRM9WvGmFbTO9xCJhACktTi8lqNlZVEr3NSi/lo2 dKWKv4K+dICoRfB7bYoHoTWfU0KvQ/iRH4eyrQq55XYrMqvMG+LdyQWRXy/YVODw etpOC0agFU4sX5VKc0DHULmjML/DY/exBSXdkpvnELNL7+Nj -----END X509 CRL----- Certificate: data Version: 3 (0x2) Serial Number: e2:60:72:54:67:1b:37:37 Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=TN, O=org, OU=FVS, CN=FVS CA/emailAddress=fvs@fvs.co Validity Not Before: Nov 27 02:07:39 2016 GMT Not After : Nov 27 02:07:39 2019 GMT Subject: C=US, ST=TN, O=org, OU=FVS, CN=FVS CA/emailAddress=fvs@fvs.co Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: <HEX DATA> Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 8D:78:B7:92:01:CD:19:44:E6:09:6C:2D:D0:43:8A:6F:E3:D4:EC:F9 X509v3 Authority Key Identifier: keyid:8D:78:B7:92:01:CD:19:44:E6:09:6C:2D:D0:43:8A:6F:E3:D4:EC:F9 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption <HEX DATA> -----BEGIN CERTIFICATE----- <CERT DATA> <CERT DATA> <CERT DATA> <CERT DATA> <CERT DATA> <CERT DATA> <CERT DATA> <CERT DATA> -----END CERTIFICATE-----
I have tried reversing the order (cert first, then CRL). I keep getting this same error page......
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Why can't I upload CRLs to the FVS336Gv3?
Hi train_wreck,
Have you tried using other browsers like Firefox to upload the CRL?
From your initial post, it seems that you will be using certificate authentication for box-to-box VPN connection. Kindly check the link below and it might help:
Using certificates as authentication method for box to box VPN connection
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Why can't I upload CRLs to the FVS336Gv3?
Yes Dane, I have tried Chrome, Firefox, and Internet Explorer from WIndows 7 and Windows 10.
And the link you gave me doesn't even mention CRLs.........
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Why can't I upload CRLs to the FVS336Gv3?
Hi train_wreck,
I just want to follow-up on this. I have re-read this forum thread and got a couple of questions below:
a. You mentioned that you have successfully uploaded the certificates to other devices. What are these devices? Does it include other ProSAFE firewall routers?
b. Where was the certificate generated from?
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Why can't I upload CRLs to the FVS336Gv3?
A. There have been MANY other devices that this CRL has been uploaded to:
- Cisco RV320, 891/891F, ASA5505, ASA5506-X
- Mikrotik RB2011
- Ubiquiti Edgerouter Lite & Edgerouter 8
- D-Link DSR-250
All with no issues. I have 2 FVS336Gv3s and 1 FVS318Gv2, and none of the Netgears will accept it. Guys, there is nothing wrong with this CRL.
B. The CRL was generated using openssl on Linux. Here is a guide that matches exactly the steps I took to create the root CA, device certificates/keys, and CRL: https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Why can't I upload CRLs to the FVS336Gv3?
I believe that if the certificate is working on other products and is a good working certificate then it should work also on NETGEAR ProSAFE units. Looking back at the error message you have posted, if the certificate was not supported, a different message reporting invalid or not supported type message should be displayed, but it shows critical error.
With regard to this, I inquired your concern to a higher tier of NETGEAR Support. As per their response, it would be best that you open an online case with NETGEAR Support at anytime. Kindly state your concern and attach the screenshot showing the error message and the CRL. This should be escalated to the engineering team for further investigation.
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Why can't I upload CRLs to the FVS336Gv3?
I just want to follow-up on this. Were you able to open an online case with NETGEAR Support about your concern? If yes, let us know about the progress of it.
Regards,
DaneA
NETGEAR Community Team
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Why can't I upload CRLs to the FVS336Gv3?
Nope. The unit is out of the free support period, and at this point the device is relegated to being pretty much a toy (too many shortcomings/inconsistencies to be used in production at my company), and as such isn't worth paying for support. I'm using it at my house right now, but am getting close to selling it seeing as this issue is preventing my RemoteAccess cert-based VPN from working.