Orbi WiFi 7 RBE973
Reply

Re: FVS318N csr signed by Openssl intermediate CA not accepted

rtr
Tutor
Tutor

FVS318N csr signed by Openssl intermediate CA not accepted

Hello all,

 

I have a FVS318N router, frmware 4.3.4-2.

I have generated a certificate signing request (CSR) from the firewall (SHA-1 + RSA2048).

I have issued certificates:

  • using openssl and my Intermediate CA certificate & PK. The firewal refuses to load this certificate.
  • using openssl and an Root CA certificate. The firewal accepts this certificate.

In both cases:

  • no extended key usage
  • SHA1 + RSA2048
  • both the Root and Intermediate CAs certificates are loaded as trusted CAs in the firewall
  • both the Root and Intermediate CAs certificates are SHA1 + RSA2048

 

Questions:

  1. Are Intermediate CAs issued certificates supported the Netgear CSR? If yes, any tips?
  2. The certificate I have uploaded is used now for the administration interface, which is unwanted. I would want to add an IPSEC only certificate which does not interfere with the SSL certificate. What keyUsage/Extended key usage to add or exclude?
  3. The documentation refers to IPSEC VPN extKeyUsage (EKU). AFAIK the IPSEC specific EKUs have been deprecated long ago and should no longe be used. The IPSEC VPN OIDs are not mentioned in the Netgear doc, does anyone know what do they mean?
  4. Is there any way to grab more information (ie: logs) of what happens inside for certificate management? The firewall has a serial port and I still have a PC with a serail port on. Can it be told to log anything usefull there (or elsewhere)?

 

 

Model: FVS318N|ProSafe Wireless N 8 port gigabit VPN firewall
Message 1 of 8
DaneA
NETGEAR Employee Retired

Re: FVS318N csr signed by Openssl intermediate CA not accepted

@rtr,

 

I have inquired your concern to a higher tier of NETGEAR Support and here below are the answers to your queries:

 

1. Are Intermediate CAs issued certificates supported by the Netgear CSR?
Answer: No, We do not support intermediate CA.

 

2. The certificate the client has uploaded is used now for the administration interface, which is unwanted. The client would want to add an IPSEC only certificate which does not interfere with the SSL certificate. What key Usage/Extended key usage to add or exclude?
Answer: No, Currently our devices don’t have such setting Key usage/ extended key usage by which a single certificate can be made available only for SSL or only for IPSEC.

3. The documentation refers to IPSEC VPN extKeyUsage (EKU). AFAIK the IPSEC specific EKUs have been deprecated long ago and should no longe be used. The IPSEC VPN OIDs are not mentioned in the Netgear doc, does anyone know what do they mean?

Answer: We do not have any OIDS support.

4. Is there any way to grab more information (ie: logs) of what happens inside for certificate management? The firewall has a serial port and the client has a PC with a serial port on. Can it be used to log anything useful there?

Answer: No, we do not have this debug logs support by default in firmware.

 

 

Regards,

 

DaneA
NETGEAR Community Team

Message 2 of 8
DaneA
NETGEAR Employee Retired

Re: FVS318N csr signed by Openssl intermediate CA not accepted

@rtr,

 

Let us know if you have further questions.

 

 

Regards,

 

DaneA
NETGEAR Community Team

Message 3 of 8
rtr
Tutor
Tutor

Re: FVS318N csr signed by Openssl intermediate CA not accepted

Hello @DaneA,

 

 

Thanks for the effort and answer.

Sadly the answer you had confirms what I feared: the certificate support is very much limited.

 

> 2. Answer: No, Currently our devices don’t have such setting Key usage/ extended key usage by which a single certificate can be made available only for SSL or only for IPSEC.

> 3. Answer: We do not have any OIDS support.

The Router Reference manual (April 2013, 202-10836-05), p316 (chapter: Manage Digital Certificates for VPN Connections):

"On the wireless VPN firewall, the uploaded digital certificate is checked for validity and
purpose. The digital certificate is accepted when it passes the validity test and the purpose
matches its use. The check for the purpose needs to correspond to its use for IPSec VPN,
SSL VPN, or both. If the defined purpose is for IPSec VPN and SSL VPN, the digital

certificate is uploaded to both the IPSec VPN certificate repository and the SSL VPN
certificate repository. However, if the defined purpose is for IPSec VPN only, the certificate is
uploaded only to the IPSec VPN certificate repository"

 

It would be good and fair to reissue an updated Reference Manual on longer containing that. The current product description and publicly available documentation is misleading.

The update could contain also "we don't support intermediate CA" as well. But I'm repeating myself.

 

 

>4. Answer: No, we do not have this debug logs support by default in firmware.

 

I feel like I'm a pain - but you said "by default": does this mean that it could be somehow changed? I'm ok with the command line, should that be needed.

Or should I read "not possible at all, go away!" ? 🙂

 

 

Bottom line: the setup I need to put in place is impossible to achieve with my FVS318N unless some firmware update will address the missing bits.

This looks rather unlikely to happen in anytime soon....

 

Thanks!

Best regards,

 

Message 4 of 8
DaneA
NETGEAR Employee Retired

Re: FVS318N csr signed by Openssl intermediate CA not accepted

@rtr,

 

About on the re-issue of the FVS318N reference manual (specific to what you have posted) and about the debug logs to be supported on the FVS318N, I suggest you to post this as a feature request in the Idea Exchange Board for Business here.  In this way, the development team can see what updates and features does users wanted to be added to the functionality of the VPN firewall. Be reminded that the more kudos given by community members to your feature request will help because the development team will be reviewing the post that has the most kudos and it will have a high possibility that it will be considered.  

 

 

Regards,

 

DaneA
NETGEAR Community Team

Message 5 of 8
JohnRo
NETGEAR Employee Retired

Re: FVS318N csr signed by Openssl intermediate CA not accepted

Hi rtr,

 

We’d greatly appreciate hearing your feedback letting us know if the information we provided has helped resolve your issue or if you need further assistance.
If your issue is now resolved we encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The Netgear community looks forward to hearing from you and being a helpful resource in the future!

 

Thanks,

Message 6 of 8
rtr
Tutor
Tutor

Re: FVS318N csr signed by Openssl intermediate CA not accepted

Hello @JohnRo

 

 

I don't mind closing somehow this thread ( don't know how), but I can't choose any of the answers as "solution".

I had the acknowledged that the  current certificate implementation is severely limited and not even up to what Netgear documentation claims.

There's no solution so far, and not much hope for one either: all depends on "Idea Exchange Board for Business" etc.

I give up, but there's no button to close the thread this way 🙂

 

@DaneA, You - and maybe others  - do a great job to monitor and answer, I really appreciate and thank you for your effort to have things sorted out

 

Overall I'm disappointed by the support for the firmware of the product. "we have firmware problems for a lifetime guaranteed item and we won't fix except maybe if one gets enough votes etc " from the firmware maintainer is ... disappointing.

 

 

rtr

Message 7 of 8
DaneA
NETGEAR Employee Retired

Re: FVS318N csr signed by Openssl intermediate CA not accepted

@rtr,

 

You're welcome! 🙂  I really encouraged you to post your concern as feature request in the Idea Exchange Board for Business.  

 

 

Regards,

 

DaneA
NETGEAR Community Team

Message 8 of 8
Discussion stats
  • 7 replies
  • 4238 views
  • 1 kudo
  • 3 in conversation
Announcements