Join Log in
Score:0
avatar Server

Insecure Connections With CA Issue Certificate

cn flag
JukEboX

I have imported a web server certificate from a CSR coming from my Cisco C9300. The certificate came from the Certificate authority and shows the correct CA on the end of the chain. CLI shows that the certificate was installed correctly with no problem. Issue is when I go to the Secure website (https://) for the switch but it says the connection is not secure. I check the certificate for in the browser and it shows the certificate I got from the CA. Why does it show insecure even though the certificate is valid?

When going to the page it says NET::ERR_CERT_COMMON_NAME_INVALID

UPDATE 1: Thanks to @Zac67 I am checking the Trustpoint information. When we access the switch for the web page we use https://ipaddress. I can create the following:

subject-name C=US, ST=Pennsylvania, L=My-Town, O=My-Org, OU=My-Department, CN=SWITCHNAME.DOMAIN.NET

But when I do subject-alt-name 192.168.1.10 it gives me the following error:

CRYPTO_PKI: Label cannot be made only of digits. Also, ip addresses are not permitted

Tried putting the address in the CN but that didn't work either. Still says the certificate is not valid.

UPDATE 2: I am using the How-To located here: to create an RSA key. With that key I am using my CA as a trust point. I get the thumbprint to give to my Microsoft CA for a WebServer certificate. I get the WebServer certificate from my CA and import it with the same How-TO directions into the switch. I then go to the webpage and it says the webpage is not valid. The certificate is coming from the CA for my domain. I don't see how it thinks it is invalid.

UPDATE 3: So I am looking at the suggestions from RICK about the SAN. I am going to lay out we do not use OpenSSL as we are not allowed to. WE have to use our on network CA. For the CN I have set the CN to the IP address of the certificate. For the SAN Cisco has a separate commands that says ip-address which adds the address and there I have a different command called subject-name-alternative of which I can't add an IP address to that command as it is not allowed. So what I find I can do the following:

CN can be the following:

  • IP address
  • Hostname
  • FQDN

SAN (Subject-Name-Alternative can be the following:

  • Hostname
  • FQDN

IP address can be added or not

Tried a mixture of all those things and it is still telling me the certificate is invalid on EDGE with the error: NET::ERR_CERT_COMMON_NAME_INVALID. If you look at the certificate from Edge it shows the same certificate if I open it on its own with the same fingerprints.

So what should the CN be when accessing it from the IP address using Edge?

UPDATE 4 Also when doing the following to make the CSR I add the IP Address line. But when I look at the certificate it doesn't look like the IP address is added to the SAN. In fact the certificate does not have SAN AT ALL! It looks like something is getting lost in translation.

crypto pki trustpoint my-trustpoint
enrollment terminal pem 
subject-name C=US, ST=Pennsylvania, L=My-Town, O=My-Org, OU=My-Department, CN=My-Switch.my-network.com
subject-alt-name my-switch.my-network.com
serial-number none
ip-address 192.168.1.51
revocation-check none
rsakeypair my-4096rsa-key
end

Any idea why it isn't including the IP address into the SAN?

135
2 + 6
Ricky avatar
gq flag
Ricky
*COMMON_NAME_INVALID* should be your first clue. You accessed it by a domain name (or IP) that isn't in the certificates list of names. For example, the CN for NE is "*.stackexchange.com"
5
Reply
cn flag
JukEboX
I have tried the IP address for the CN but it still shows as not secure. Should it not be a Webserver certificate?
0
Reply
Teun Vink avatar
in flag
Teun Vink
It would really help if you would explain how you created the certificate and with what root/intermediate certificate it was signed. My guess is you're using some self signed certificate generated on the device and your browser doesn't know any of the certificates in the chain used for signing your certificate. But that's still just a guess, because you're not very clear on your exact actions.
1
Reply
cn flag
JukEboX
@TeunVink added information about the certificate in Update 2. NO this is not a self-signed certificate.
0
Reply
Ron Trunk avatar
in flag
Ron Trunk
Voting to close as this really is a PKI issue. [sf] might be a better place to ask these questions.
0
Reply
cn flag
JukEboX
@RonTrunk can you transfer the question?
0
Reply
Score:3
Zac67 avatar Server
ru flag
Zac67

To elaborate on Ricky's comment: the host name used in https:// must match either the certificate's subject name (SN) or one of the subject alternative names (SAN). If you use the bare IP address it must be present as SAN. Even the slightest mismatch causes a certificate error.

Also make sure that the root CA certificate is present in the client's trust store if you use your own CA.

+ 11
cn flag
JukEboX
so I am using these directions: https://community.cisco.com/t5/networking-knowledge-base/creating-a-csr-authenticating-a-ca-and-enrolling-certificates-on/ta-p/4436090 Does that mean for the Subject-Name or the Subject-Name it needs to include the IP ADDRESS when we access the https page?
0
Reply
cn flag
JukEboX
I have tried adding it in the line for subject-alt-name as well as CN but it is still showing on the web page as not secure. Should it not be a Webserver certificate?
0
Reply
cn flag
JukEboX
Also SAN cannot be an ip address per the terminal.
0
Reply
Zac67 avatar
ru flag
Zac67
@JukEboX An IP address cannot be the Subject Name, but it should be allowed as a SAN. If you did include the IP as SAN and it's still failing then you need to check whether the IP has made it into the certificate or what else is the problem. If you can't figure it out, please add the exact warning text, the certificate details and the chain details to your question.
0
Reply
cn flag
JukEboX
added the information to the question.
0
Reply
Zac67 avatar
ru flag
Zac67
Try putting the IP address in "double quotes".
0
Reply
cn flag
JukEboX
According to output can only use digits, alphabet, "-", or '*'
0
Reply
vidarlo avatar
ar flag
vidarlo
Why not set up DNS? If your network is big enough to warrant TLS for switch management then you probably want DNS as well.
2
Reply
cn flag
JukEboX
@vidarlo DNS is setup and the device has an entry. If I connect to it by the Computer name it finds the DNS and connects to it but that too shows the certificate is invalid. But I can open the certificate and it says "This certificate is OK". So confused
0
Reply
Zac67 avatar
ru flag
Zac67
@JukEboX You need to match the certificate subject name (or SAN) with the DNS name you use - voilà.
0
Reply
cn flag
JukEboX
So to add more information to the answer the Cisco switch does not add the IP Address into the certificate as a SAN or anywhere which I don't know why it matters to use the `ip-address` command when making the certificate. Also made a DNS entry for the switch and I can access it with a valid and secure connection using the https://FQDN of the switch.
0
Reply
Score:3
Illuminatus avatar Server
rw flag
Illuminatus

If the version of Cisco IOS you are using does not allow defining an IP based Subject Alternative Name (SAN) then you should create the CSR via a different tool like openssl to include the IP and then sign the CSR with your CA.

With openssl you will use an openssl.cnf configuration file and append a section to include the SAN (it can be done via CLI as well, but gets a bit more complicated).

To use the configuration file the [req] section should include a req_extensions parameter, something like:

req_extensions = req_ext

The value you provide is the "context" for the later section which defines which extensions you want to use. With req_ext as the value the rest of the configuration would look something like:

[ req_ext ]
subjectAltName = @alt_names 

[alt_names]
IP.1    = 192.168.1.10
  • To confirm the generated Certificate Signing Request (CSR) contains the entries you can use:
openssl req -noout -text -in switch.csr

Check for the X509v3 Subject Alternative Name section. Inside should be entries for IP: which contain whatever you defined in the openssl.cnf when you generated the CSR. If the IP address you are expecting the certificate to secure is not listed inside the SAN entries of the CSR something went wrong, any generated certificate from a CSR missing the fields will observe the error you mentioned, as it does not secure the IP properly.

If you see the expected IP entries then pass the CSR over to your CA for signing and creation of the certificate.

  • To confirm the CA signed certificate contains the entries with a recent openssl you can use:
openssl x509 -noout -ext subjectAltName -in switch.pem
  • To confirm the CA signed certificate contains the entries with an older version of openssl (missing the extensions flag -ext) you can use:
openssl x509 -noout -text -in switch.pem

Using either method above you can investigate the signed certificate prior to installation. Check the Subject Alternative Name sections values. If this looks correct then go ahead and install the new certificate in your switch.

Alternatively you can also investigate SAN fields via the browser for already installed certificates. Depending on the browser software and version the layout of the information may differ.

For example here is Chrome which requires clicking on the HTTPS/Lock in the browser (view site information), clicking connection is secure then clicking Certificate is Valid, your switch would not say valid of course, so click Certificate is not valid.

Chrome: Certificate Details

In Firefox reviewing the certificate also click the HTTPS/Lock in the browser, Connection Secure (when true of course), then More Information

Firefox: View Certificate

+ 1
cn flag
JukEboX
Unfortunately since my network is an offline network I need to use the CA for the offline network and the certificate is showing on Microsoft Edge as invalid but if I look at it on my computer the certificate says "This certificate is OK". I am connected by IP address. If I connect by the device name it says it is also invalid.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.