Table of Contents
Set Custom SSL Certificate
If you have a Cisco device, you may have issues getting the SSL certificate to work properly on the web GUI.
The solution is here.
Specifically, I generated a certificate/key on a Palo Alto Networks PA-220 firewall because that was where I stored my home root CA. I then exported the certificate and ticked 'export private key'. I added a password as PAN-OS does not give you a choice.
Don't forget, it has to be 2048 length key. Not 4096.
Remember, with Cisco, we need three things
- The certificate
- The public key
- The private key
On the Palo Alto Networks firewall, we can generate a certificate with a key that is signed by a root CA. Once you have done that, export it in PEM format with a password.
Get the Certificate
You can get a copy of just the certificate by opening up the PEM file and copying out this bit to another file.
-----BEGIN CERTIFICATE----- MII ... Q== -----END CERTIFICATE-----
Get the Public Key
Take the exported PEM file from PAN-OS and put on a machine that has openssl and use the following command to extract the public key
openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
Then, change
-----BEGIN PUBLIC KEY-----
to
-----BEGIN RSA PUBLIC KEY-----
and
-----END PUBLIC KEY-----
to
-----END RSA PUBLIC KEY-----
Also, remove the first 32 characters of the public key.
MIIBCgKCAQEAo5Q21pIa/5C2IXIgQw9Z
Make sure you adjust the lines so they are the same length as before.
Get the Private Key
Strip the password off the certificate key
openssl rsa -in cert.pem -out privkey.pem
Ensure formating is correct.
openssl rsa -in privkey.pem -outform pem > privkey_fixed.pem
Install
And there you go. Make sure you tell the GUI that the key is not encrypted.
You will need to switch to advanced mode in IOS GUI to see
You will need to provide the following
- The certificate
- The public key
- The private key