What’s the requirements for TP-Link Switch SSL certificate and key file?

What’s the requirements for TP-Link Switch SSL certificate and key file?
What’s the requirements for TP-Link Switch SSL certificate and key file?
2020-03-10 05:54:45 - last edited 2020-03-10 05:58:09

For TP-Link Switch, it supports HTTPS for management web. Provides security access via a web browser. HTTPS is based on SSL. Before the client and server communicate, they need to pass the authentication by certificate. The switch carries a self-signed certificate. Users also can import their certificate file and key file. The related management web is as follows.

 

The certificate file and key file has many formats. If you meet the error when import certificate file, it may be caused by the wrong format. For certificate file and key file, they must match each other; otherwise the HTTPS connection will not work. And they should be BASE64 encoded and match the below format.

 

For certificate file, it needs to match the following format.

"-----BEGIN CERTIFICATE-----"

***

"-----END CERTIFICATE-----"

 

For key file, it needs to match one of the following formats.

"-----BEGIN RSA PRIVATE KEY-----"

***

"-----END RSA PRIVATE KEY-----"

 

or

"-----BEGIN EC PARAMETERS-----"

***

"-----END EC PARAMETERS-----"

 

"-----BEGIN EC PRIVATE KEY-----"

***

"-----END EC PRIVATE KEY-----"

 

Addition

Sometimes you will see that the key file uses the format of “BEGIN PRIVATE KEY”. It’s available in the form of PKCS#8, that identifies the type of public key and contains the relevant data. Generally, if you use the command of “openssl req xxx” to generate both the private key and the crt/csr, the key will use the format of “BEGIN PRIVATE KEY”.

 

To make the key file be able to import to TP-Link switch, you can convert the “BEGIN PRIVATE KEY” to the formats that TP-Link supports. Just use the command “openssl rsa –in $FROMFILE –out $TOFILE”. $FROMFILE means the filename of your current key file. $TOFILE means the filename of the newly generated key file. 

2
2
#1
Options
1 Reply
Re:What’s the requirements for TP-Link Switch SSL certificate and key file?
2021-06-24 00:25:11 - last edited 2021-06-24 00:31:26

@Anderson I tried to use the EC key pair, but not worked for me. Only RSA is working. (Managed switch: TL-SG3428, SW: 2.0.3 Build 20210409 Rel.52950, settings: TLSv1.2, enabled: ECDHE_WITH_AES_128_GCM_SHA256ECDHE_WITH_AES_256_GCM_SHA384)

 

Example:

openssl ecparam -genkey -name prime256v1 -param_enc explicit -out ${FILE_NAME}-key.pem

[OR]

openssl ecparam -genkey -name secp384r1 -param_enc explicit -out ${FILE_NAME}-key.pem

 

Output example:

-----BEGIN EC PARAMETERS-----
MIIBVwIBATA8BgcqhkjOPQEBAjEA////////////////////////////////////
//////7/////AAAAAAAAAAD/////MHsEMP//////////////////////////////
///////////+/////wAAAAAAAAAA/////AQwszEvp+I+5+SYjgVr4/gtGRgdnG7+
gUESAxQIj1ATh1rGVjmNii7RnSqFyO3T7CrvAxUAozWSaqMZonodAIlqZ3OkgnrN
rHMEYQSqh8oivosFN46xxx7zIK10bh07Younm5hZ90HgglQqOFUC8l2/VSlsOlRe
OHJ2Crc2F95KliYsb12emL+Sktwp+PQdvSiaFHzp2jETtfC4wApgsc4dfoGdekMd
fJDqDl8CMQD////////////////////////////////HY02B9Dct31gaDbJIsKd6
7OwZaszFKXMCAQE=
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIIB+gIBAQQwTd3skxC5o0PiwYoWftUcvehFdDE0VYkLtTC8o0Fe7nu+Ea1NzNQ4
f53IlAzVxN3loIIBWzCCAVcCAQEwPAYHKoZIzj0BAQIxAP//////////////////
///////////////////////+/////wAAAAAAAAAA/////zB7BDD/////////////
/////////////////////////////v////8AAAAAAAAAAP////wEMLMxL6fiPufk
mI4Fa+P4LRkYHZxu/oFBEgMUCI9QE4daxlY5jYou0Z0qhcjt0+wq7wMVAKM1kmqj
GaJ6HQCJamdzpIJ6zaxzBGEEqofKIr6LBTeOscce8yCtdG4dO2KLp5uYWfdB4IJU
KjhVAvJdv1UpbDpUXjhydgq3NhfeSpYmLG9dnpi/kpLcKfj0Hb0omhR86doxE7Xw
uMAKYLHOHX6BnXpDHXyQ6g5fAjEA////////////////////////////////x2NN
gfQ3Ld9YGg2ySLCneuzsGWrMxSlzAgEBoWQDYgAEirM/lYyRvqpdgL4eX7DfgOlL
PnxLO8chcylOUjXmdUkqy7Oa3/ToFcnapYsszOn7huo3Vy3Elb2MhSRdqnUHp9VI
tSkuF4+/tDtTE801xJKAgokyuhjm6l5waaMQ26CT
-----END EC PRIVATE KEY-----

 

The "Load Certificate" feature only load the first certificate in the chain file so, intermediate CA is not supported.

CA -> IntCA -> Server

 

The SSH feature is not support the Ed25519 key.

0
0
#3
Options