Import Custom SSL Certificate in Zyxel GS1920-8HPv2

tag-icon tag-icon ssl-certificate openssl switch certificate-authority zyxel
Import Custom SSL Certificate in Zyxel GS1920-8HPv2

I have a problem with importing a server ssl cert for

https web connection on myZyxel GS1920-8HPv2.

On the WebGui of the Switch, there is an information, that the cert and key

has to be in a pkcs12 container.

I did the following things to create the server crt:

generate a private key:

openssl genrsa \
    -aes256 \
    -out private/zyxel-server.key.pem 4096

generate a csr:

openssl req \
       -config openssl.cnf \
       -key private/zyxel-server.key.pem\
       -new -sha512 \
       -out csr/zyxel-server.csr.pem

create the signed cert from my ca:

openssl ca -config openssl.cnf \
           -extensions server_cert_zyxel \
           -days 1095 -notext -batch -md sha512 \
           -passin file:mypass.enc \
           -in csr/zyxel-server.csr.pem \
           -out certs/zyxel-server.pem

Then i built the pcks12 container:

openssl pkcs12 \
       -export \
       -out cert.pfx \
       -inkey private/zyxel-server.key.pem \
       -in certs/zyxel-server.pem \
       -certfile certs/ca.cert.pem \

i also tested "certfile" option with fullchain (ca + intermediate):

openssl pkcs12 \
       -export \
       -out cert.pfx \
       -inkey private/zyxel-server.key.pem \
       -in certs/zyxel-server.pem \
       -certfile certs/ca-fullchain.cert.pem \

But when i try to import the pkcs12 container, the switch is running in a timeout without any log messages.

is the procedure correct that I did when creating the pkcs12 container and has someone an idea how to import the server cert on this zyxel switch?

답변1

In the meantime i found a solution to fix the problem:

if i create the pkcs12 container with openssl 3.0.2 (ubuntu 22.04) and import the container to my iphone and zyxel switch it doesn't work.

if i create the pkcs12 container with openssl 1.1.1.f (ubuntu 20.04) it works.

If i create a pkcs12 container with openssl 3.0.2 and try to read (openssl pkcs12 info ...) the container with openssl1.1.1, i get the following error message:

Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
4047620DD67F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

Seems that openssl 3.0 use another algorithm to build the container and applications which use openssl 1.X.X can't open and process these files.

관련 정보