Network Management

 View Only

  • 1.  Netedit - CERT CSR with ECDSA instead of RSA

    Posted Feb 25, 2025 01:43 AM

    Hi @all,

    i'm running Netedit 2.14.0 and want to create a CSR.

    There i followed Aruba's documentation

    https://arubanetworking.hpe.com/techdocs/AOS-CX/NetEdit/NetEdit_2x_IG.pdf

    and tried to create an CSR using ECDSA and no RSA encryption.

    However, whatever I try, I always get RSA 4096 bit encrypted CSR

    The commands I did use were:

    sudo /opt/netedit/jre/bin/keytool -genkeypair -keyalg EC -groupname secp384r1

    &&

    sudo /opt/netedit/jre/bin/keytool -keystore /opt/netedit/config/appKeystore.p12 -certreq -alias tomcat -keyalg EC -dname 'CN=myname, OU=xx, O=yy, L=city, C=country' -ext san=dns:FQDN.local,ip:IPv4 -file /opt/netedit/config/neteditapp.csr

    Can someone point me to the right direction please?

    Is it possible at all to create an CSR with ECDSA

    Thank You

    Marcus



  • 2.  RE: Netedit - CERT CSR with ECDSA instead of RSA

    Posted Feb 25, 2025 11:33 AM
    Edited by Herman Robers Feb 25, 2025 11:34 AM

    That's just java commands, and I tried the same on an Ubuntu system and do get an EC CSR out of it:

    % keytool -genkeypair -keyalg EC -groupname secp384r1
Enter keystore password:
Re-enter new password:
<cert questions>
% keytool -certreq -keyalg EC -dname 'CN=myname, OU=xx, O=yy, L=city, C=country' -ext san=dns:FQDN.local,ip:10.1.1.1 -file test.csr
Enter keystore password:
% openssl req -noout -text < test.csr
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = country, L = city, O = yy, OU = xx, CN = myname
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:1b:3b:5d:21:25:90:48:bb:42:86:06:4b:66:de:
                    57:74:7b:a2:3c:41:f0:51:bc:ab:f1:86:3e:45:69:
                    dc:01:4e:e3:b3:ac:0b:94:9c:bc:40:a8:3b:de:b2:
                    c3:2c:d7:4e:4d:26:2a:8d:23:7c:be:4a:fe:b1:b2:
                    34:32:fb:b2:b9:c6:21:ac:e0:88:95:9d:f5:3d:23:
                    7f:b0:e9:b8:da:e4:f8:a5:9e:3d:78:91:29:b7:51:
                    a9:49:05:93:dd:41:38
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        Attributes:
            Requested Extensions:
                X509v3 Subject Key Identifier:
                    BA:9D:DD:BD:72:BA:B0:FE:63:4F:81:CF:B3:AE:3C:F4:20:5A:2B:21
                X509v3 Subject Alternative Name:
                    DNS:FQDN.local, IP Address:10.1.1.1
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:65:02:30:2b:55:66:e5:0a:c8:d2:7a:27:5b:f8:4a:1a:2d:
        3f:7b:50:86:3a:66:fe:59:1b:c4:6f:76:7c:16:e4:fb:26:51:
        d6:47:9f:f6:13:9c:95:70:2a:b7:a3:49:c9:23:e1:f4:02:31:
        00:9b:36:13:eb:9b:7b:b2:86:4a:e3:9e:77:d4:fd:56:c4:5c:
        da:01:c8:da:74:62:d4:b1:07:51:df:99:67:41:89:2b:82:ea:
        f6:ec:d1:e4:dc:73:72:09:69:66:85:35:ed

    Not sure what you do different... are you sure that you don't get a EC?

    Ultimately, you should be able to generate the key and CSR outside of NetEdit, then import the signed certificate (+chain) and keys.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: Netedit - CERT CSR with ECDSA instead of RSA

    Posted Feb 26, 2025 02:25 AM
    Edited by snoopy78 Feb 26, 2025 05:45 AM

    Hi Thomas,

    thank you for your info. It's the same as i did, however the result is different.

    neadmin@netedit-server:~$ sudo /opt/netedit/jre/bin/keytool -keystore /opt/netedit/config/appKeystore.p12 -certreq -alias tomcat  -dname 'CN=netedit, OU=xx, O=yy,L=zz, C=DE' -ext san=dns:FQDN,ip:IP -file /opt/netedit/config/neteditapp.csr
    Enter keystore password:
    neadmin@netedit-server:~$ sudo /opt/netedit/jre/bin/keytool -printcertreq  -file                                                                                                              /opt/netedit/config/neteditapp.csr
    PKCS #10 Certificate Request (Version 1.0)
    Subject: CN=netedit, OU=xx, O=yy, L=zz, C=DE
    Format: X.509
    Public Key: 4096-bit RSA key
    Signature algorithm: SHA384withRSA
     
    Extension Request:
    Maybe Aurba is using an outdated keygen tool within their netedit appliance, which may cause this behavior...
    UPDATE:
    Interesting....when i do not use the keystore from netedit, i do get a correct cert csr...
    neadmin@netedit-server:~$ sudo /opt/netedit/jre/bin/keytool -printcertreq  -file /opt/netedit/config/neteditapp2.csr
    PKCS #10 Certificate Request (Version 1.0)
    Subject: CN=netedit, OU=xx, O=yy, L=zz, C=DE
    Format: X.509
    Public Key: 384-bit EC (secp384r1) key
    Signature algorithm: SHA384withECDSA
    UPDATE #2:
    When i sign the CSR, which i created without the tomcat linking, i do get a valid cert which i can then install in the system, HOWEVER!! Netedit's tomcat can't use it at all, since the key's don't match. Which is correct, since the csr wasn't linked to tomcat too....
    Let's see what Aruba Support can say here, since it seems a issue with the tomcat version possibly.
    BR
    Marcus


    Original Message


Related Content