Re: Why can't I upload CRLs to the FVS336Gv3?

train_wreck · ‎2016-11-25

I have the following CRL:

I am trying to upload it to the FVS336G. I am getting the following error page:

As is plain to see, this CRL is a SHA1 CRL. I have tried uploading it in both PEM and DER formats. It uploads fine on every other device, and I have tried to upload numerous CRLs that are included with Windows 7 in the certificate store, and all of them produce the same error.

So is the device just not capable of this? It is apparently necessary, since all attempts to connect 2 FVS336Gv3 units together in certificate-based site-to-site configuration fail, with the logs reporting that a CRL cannot be found.

train_wreck · ‎2016-11-25

Firmware is latest version, multiple factory resets tried

Rauder · ‎2016-11-26

You need to combine the root and intermediate certificates and save them as one file (reverse order) , but do not include your CSR.

train_wreck · ‎2016-11-26

This is a self-signed CA, with no intermediate. So I assume just the root CA cert and the CRL should be in one file, and uploaded that way?

train_wreck · ‎2016-11-27

Nevermind; that still doesn't work. I get the same error page. Here is the updated CRL:

-----BEGIN X509 CRL-----
MIIBQDCBqgIBATANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCVE4xDjAMBgNVBAoMBXBMQU45MQwwCgYDVQQLDANGVlMxDzANBgNVBAMMBkZW
UyBDQTEdMBsGCSqGSIb3DQEJARYOYWRtaW5AcExBTjkuY28XDTE2MTEyNzAyMjEz
N1oXDTE3MTEyNzAyMjEzN1qgDjAMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBBQUA
A4GBAGYDbT4A4UVDF1K0eEwelRM9WvGmFbTO9xCJhACktTi8lqNlZVEr3NSi/lo2
dKWKv4K+dICoRfB7bYoHoTWfU0KvQ/iRH4eyrQq55XYrMqvMG+LdyQWRXy/YVODw
etpOC0agFU4sX5VKc0DHULmjML/DY/exBSXdkpvnELNL7+Nj
-----END X509 CRL-----

Certificate:
    data 
        Version: 3 (0x2)
        Serial Number:
            e2:60:72:54:67:1b:37:37
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=TN, O=org, OU=FVS, CN=FVS CA/emailAddress=fvs@fvs.co
        Validity
            Not Before: Nov 27 02:07:39 2016 GMT
            Not After : Nov 27 02:07:39 2019 GMT
        Subject: C=US, ST=TN, O=org, OU=FVS, CN=FVS CA/emailAddress=fvs@fvs.co
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    <HEX DATA>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                8D:78:B7:92:01:CD:19:44:E6:09:6C:2D:D0:43:8A:6F:E3:D4:EC:F9
            X509v3 Authority Key Identifier: 
                keyid:8D:78:B7:92:01:CD:19:44:E6:09:6C:2D:D0:43:8A:6F:E3:D4:EC:F9

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         <HEX DATA>
-----BEGIN CERTIFICATE-----
<CERT DATA>
<CERT DATA>
<CERT DATA>
<CERT DATA>
<CERT DATA>
<CERT DATA>
<CERT DATA>
<CERT DATA>
-----END CERTIFICATE-----

I have tried reversing the order (cert first, then CRL). I keep getting this same error page......

DaneA · ‎2016-11-28

Hi train_wreck,

Have you tried using other browsers like Firefox to upload the CRL?

From your initial post, it seems that you will be using certificate authentication for box-to-box VPN connection. Kindly check the link below and it might help:

Using certificates as authentication method for box to box VPN connection

Regards,

DaneA

NETGEAR Community Team

train_wreck · ‎2016-11-28

Yes Dane, I have tried Chrome, Firefox, and Internet Explorer from WIndows 7 and Windows 10.

And the link you gave me doesn't even mention CRLs.........

DaneA · ‎2016-12-14

Hi train_wreck,

I just want to follow-up on this. I have re-read this forum thread and got a couple of questions below:

a. You mentioned that you have successfully uploaded the certificates to other devices. What are these devices? Does it include other ProSAFE firewall routers?

b. Where was the certificate generated from?

Regards,

DaneA

NETGEAR Community Team

train_wreck · ‎2016-12-15

A. There have been MANY other devices that this CRL has been uploaded to:

Cisco RV320, 891/891F, ASA5505, ASA5506-X
Mikrotik RB2011
Ubiquiti Edgerouter Lite & Edgerouter 8
D-Link DSR-250

All with no issues. I have 2 FVS336Gv3s and 1 FVS318Gv2, and none of the Netgears will accept it. Guys, there is nothing wrong with this CRL.

B. The CRL was generated using openssl on Linux. Here is a guide that matches exactly the steps I took to create the root CA, device certificates/keys, and CRL: https://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

DaneA · ‎2016-12-18

@train_wreck,

I believe that if the certificate is working on other products and is a good working certificate then it should work also on NETGEAR ProSAFE units. Looking back at the error message you have posted, if the certificate was not supported, a different message reporting invalid or not supported type message should be displayed, but it shows critical error.

With regard to this, I inquired your concern to a higher tier of NETGEAR Support. As per their response, it would be best that you open an online case with NETGEAR Support at anytime. Kindly state your concern and attach the screenshot showing the error message and the CRL. This should be escalated to the engineering team for further investigation.

Regards,

DaneA

NETGEAR Community Team

DaneA · ‎2016-12-22

@train_wreck,

I just want to follow-up on this. Were you able to open an online case with NETGEAR Support about your concern? If yes, let us know about the progress of it.

Regards,

DaneA

NETGEAR Community Team

train_wreck · ‎2016-12-24

Nope. The unit is out of the free support period, and at this point the device is relegated to being pretty much a toy (too many shortcomings/inconsistencies to be used in production at my company), and as such isn't worth paying for support. I'm using it at my house right now, but am getting close to selling it seeing as this issue is preventing my RemoteAccess cert-based VPN from working.