@Ikarisan 

Do you have the proper cert and key?

That should be based64 and it would not be effective if your cert and key do not match. 

  @Clive_A I think so.

The key starts with

-----BEGIN EC PRIVATE KEY-----

and the certificate with

-----BEGIN CERTIFICATE-----

openssl is pleased with both and the public part of the EC key matches the referred one in the certificate.

EDIT: I have just looked at this again. I can always load the certificate but loading the key always fails with "failed to download the key file". It doesn't matter whether I use prime256v1, prime192v1 or sec384r1, for example.

  @Ikarisan 

Ikarisan wrote

  @Clive_A I think so.

The key starts with

 

-----BEGIN EC PRIVATE KEY-----

 

and the certificate with

 

-----BEGIN CERTIFICATE-----

 

openssl is pleased with both and the public part of the EC key matches the referred one in the certificate.

 

EDIT: I have just looked at this again. I can always load the certificate but loading the key always fails with "failed to download the key file". It doesn't matter whether I use prime256v1, prime192v1 or sec384r1, for example.

 

Try the incognito mode from Chromium based browser to download the key.

About the cert is not working, if you double-check the key and cert, and their format as I described, will the cert work properly? 

As I see two issues now and I would like to know if the cert is effective or not. 

  @Clive_A 

Sorry, but I don't get what you mean by "if you double-check the key and cert, and their format as I described, will the cert work properly". 
Both, the certificate and the private key, is accepted by openssl on Ubuntu24.04/Windows11 and the XCA app on Windows. 

But I will try the Chromium incognito mode to "download" the key (tomorrow).

Have I ever said that I find the term ‘download’ for uploading a file onto the switch super modest?
I UPload a file onto the switch and I DOWNload a file from the switch onto my computer.
You really don't have to adopt every nonsense from Cisco. ;) 

  @Ikarisan 

Ikarisan wrote

  @Clive_A 

Sorry, but I don't get what you mean by "if you double-check the key and cert, and their format as I described, will the cert work properly". 
Both, the certificate and the private key, is accepted by openssl on Ubuntu24.04/Windows11 and the XCA app on Windows. 

 

But I will try the Chromium incognito mode to "download" the key (tomorrow).

Have I ever said that I find the term ‘download’ for uploading a file onto the switch super modest?
I UPload a file onto the switch and I DOWNload a file from the switch onto my computer.
You really don't have to adopt every nonsense from Cisco. ;) 

 

 

Per the dev team, the supported format is base64. Have you examined both files in that format? Or ask the cert issue authority regarding this?

Not sure what you mean by Cisco. It works with the Win or LINUX does not mean it has the proper format to work on our device. Both OS are known for wide compatibility. 

  @Clive_A Yes, both files are base64. For testing purpose I made a new test CA from scratch and generated a X.509 certificate and a keyfile. I have attached the files as a ZIP archive.This key cannot be uploaded either. Neither in Firefox nor in Chrome - tested both in private mode.

I extracted and compared both public parts:

openssl pkey -in testcert_key.pem -pubout -out pubkey_key.pem
openssl x509 -in testcert.crt -pubkey -noout -out pubkey_crt.pem

They are the same. 

Maybe someone can have a look and tell me what's wrong with the key. 

====

What I mean by Cisco is that the upload to the switch is called a download. On Cisco Catalyst switches, you also have to click on “Download & Install” if you want to upload an update from the PC to the switch. I have always found this very confusing. 

  @Clive_A Sorry, this is not working, too. I currently use an RSA4096 key and a certificate with an “ecdsa-with-SHA512” signature. The key and the certificate are now loaded, but the HTTPS server is not activated. "show run" only shows "ip http server" but no "ip https server".

I tried to enable it by "ip http secure-server" but this is not doing anything. :(