I am having trouble implementing a CA for the webinterfaces on some of my HP switches (firmware YB.16.02.0016, type procurve (or aruba as they are called nowadays?) 2530) .
When installing the leaf cert I’m getting the message “Certificate being installed is not signed by the TA certificate.” And I can assure you it IS signed by the TA certificate.
What am I missing/doing wrong? Below the step by step actions.
These switches require a TA-profile etc.
So I created a TA profile:
crypto pki ta-profile netwerk
I created an Identity profile:
crypto pki identity-profile Domijn subject
Enter Common Name(CN) : sw1113
Enter Org Unit(OU) : Domijn
Enter Org Name(O) : ITwoon
Enter Locality(L) : Enschede
Enter State(ST) : Overijssel
Enter Country(C) : NL
I am using openssl to create my own CA plus leafcerts
Loaded my rootcert as TA:
copy tftp ta-certificate netwerk 10.10.1.60 netwerkCA2.crt
00000K Transfer is successful
Created a CSR:
crypto pki create-csr certificate-name sw1113 ta-profile netwerk usage web subject common-name sw1113 key-size 2048
-----BEGIN CERTIFICATE REQUEST-----
MIIBUDCBugIBADARMQ8wDQYDVQQDEwZzdzExMTMwgZ8wDQYJKoZIhvcNAQEBBQADg
........
oWFs5AWt+318e+W48gs7y7q60GBnkZ8dc5YgxLoHFsytih5bpsoWABQQABDZBFEqN
Pt9ahBS+zhSPrzM02ESYPXwmK/LOsVxbqnNPTHjg9LWcHfYQ3Lw51GrmKYuHRlCA=
=
-----END CERTIFICATE REQUEST-----
Creating the leaf cert signed by the root cert with openssl and when installing strange things happen:
crypto pki install-signed-certificate
Paste the certificate here and enter:
-----BEGIN CERTIFICATE-----
MIIEcTCCA1mgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCTkwx
EzARBgNVBAgTCk92ZXJpanNzZWwxETAPBgNVBAcTCEVuc2NoZWRlMQ8wDQYDVQQK
EwZEb21pam4xDzANBgNVBAsTBklUd29vbjEbMBkGA1UEAxMSbmV0d2VyayBDQTIg
.....................
jzT6hlcVoUVTU1xuaLgVJVPFq6/PmEkF7/ExRr1W6smq40VdodswiPnoqj0w3yxp
r1p6t1hp3rRqv/W1hexk/wSy5Z9e8Du9vCUx7UOfSvSVIkqa8pAkjE8WPrkav//4
+ZBNVVKuh2appFkJWXhAsJv3TOULCXI5DC+AwilwCpu56owAzA==
-----END CERTIFICATE-----
Certificate being installed is not signed by the TA certificate.
And there we are!!
Admittedly, while signing the leaf cert, I enrich the leaf cert with all kinds of stuff:
Alternate names, CDP etc. But that should not be a problem, as far as I know….
To be complete, both certs:
CA:
-----BEGIN CERTIFICATE-----
MIIE4DCCA8igAwIBAgIJAMzdzyT1UFEyMA0GCSqGSIb3DQEBBQUAMIGXMQswCQYD
VQQGEwJOTDETMBEGA1UECBMKT3Zlcmlqc3NlbDERMA8GA1UEBxMIRW5zY2hlZGUx
DzANBgNVBAoTBkRvbWlqbjEPMA0GA1UECxMGSVR3b29uMRswGQYDVQQDExJuZXR3
ZXJrIENBMiBEb21pam4xITAfBgkqhkiG9w0BCQEWEmhlbHBkZXNrQGl0d29vbi5u
bDAeFw0xNzA0MDUxMTI1MjlaFw0yNzA0MDMxMTI1MjlaMIGXMQswCQYDVQQGEwJO
TDETMBEGA1UECBMKT3Zlcmlqc3NlbDERMA8GA1UEBxMIRW5zY2hlZGUxDzANBgNV
BAoTBkRvbWlqbjEPMA0GA1UECxMGSVR3b29uMRswGQYDVQQDExJuZXR3ZXJrIENB
MiBEb21pam4xITAfBgkqhkiG9w0BCQEWEmhlbHBkZXNrQGl0d29vbi5ubDCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJXIr8CNQqBwGAJ/6+NC0/oVI+1
Ae7P5wNdNWTV+j9+Vl3YaTQVSq3+hnNVfzOZhBApf4+g9+Sn1nAv/FtBxKJgMCSS
nOyEuJWkYsyBfp7NKFwrBZmGLO6JdkAeZG98BoHVEPLQ9Ee+4LVXN5MR7xETiz/9
2VUsYCrTHKlNCdjIZH2woHf6dxxApYmyvmzj3wHKH5UYWCDuGqGtM8QEviBYed3w
DB6vrq/VunjCG8xH4dbd8FCAo2WCQ+Jn0QNcSC0lwiVucjAkVAit58dB1Fkx4CuK
EKAFTKSBpJb+My/xx1L+HB0lMvcXGTwQCrvh24fZagyXM0KiuBiOhSzDxKUCAwEA
AaOCASswggEnMA4GA1UdDwEB/wQEAwIBhjAWBgNVHSUBAf8EDDAKBggrBgEFBQcD
ATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTzsXqpAj/jjPJ68ZBV7bP7yYUz
aDCBzAYDVR0jBIHEMIHBgBTzsXqpAj/jjPJ68ZBV7bP7yYUzaKGBnaSBmjCBlzEL
MAkGA1UEBhMCTkwxEzARBgNVBAgTCk92ZXJpanNzZWwxETAPBgNVBAcTCEVuc2No
ZWRlMQ8wDQYDVQQKEwZEb21pam4xDzANBgNVBAsTBklUd29vbjEbMBkGA1UEAxMS
bmV0d2VyayBDQTIgRG9taWpuMSEwHwYJKoZIhvcNAQkBFhJoZWxwZGVza0BpdHdv
b24ubmyCCQDM3c8k9VBRMjANBgkqhkiG9w0BAQUFAAOCAQEAdP30kzcCRAXWJAYr
eZs+2OUbf0qPYOjMEw/ORGUG5jB2GZ+eu7cjyZI2uUXlu66TiA72/EFX4QAgTzOO
TKBLwhHPbbQ6mWcE42G6UKA3HPTR4xQeUCUwZz/YakdpECchShYpVF9PIl61b/1u
e93YFMNfTjHbVuBymcbOf9xF2FujRGGPTa7R8OdGYUqVcTe/xZZG6+PhQV01Bpi5
DhAuafofiNi8sVHCKGc5Nk6xRLQbMkLuD2QciuZiTEtkOlxbtJcL2ecgvnHA9cyS
81CFPXLrhnobsthNLAF2l4OESwjncyWoQQOb1/Yj+gaFX3CSo5MQamoCo0znUOnx
jfhRhQ==
-----END CERTIFICATE-----
Leaf:
-----BEGIN CERTIFICATE-----
MIIEcTCCA1mgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCTkwx
EzARBgNVBAgTCk92ZXJpanNzZWwxETAPBgNVBAcTCEVuc2NoZWRlMQ8wDQYDVQQK
EwZEb21pam4xDzANBgNVBAsTBklUd29vbjEbMBkGA1UEAxMSbmV0d2VyayBDQTIg
RG9taWpuMSEwHwYJKoZIhvcNAQkBFhJoZWxwZGVza0BpdHdvb24ubmwwHhcNMTcw
NDExMDkxNTE1WhcNMjIwNDEwMDkxNTE1WjBoMQ8wDQYDVQQDEwZzdzExMTMxDzAN
BgNVBAsTBkRvbWlqbjEPMA0GA1UEChMGSVR3b29uMREwDwYDVQQHEwhFbnNjaGVk
ZTETMBEGA1UECBMKT3Zlcmlqc3NlbDELMAkGA1UEBhMCTkwwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDFsu7bNN3Qe4EF87UqmoSk1LGRbe1uoUP8WPkD
28W3/anXETNS+IDZO9Krce+6oxfCRbHOQB+PUcbq2A188iMJMx6kYw2Nbnr5TzDM
PLOrrimcCQYF5fFnAN6Q6V9YbZWy2qJLs+Fmw8TaPLOKT/36XY8exRAbJ32MMTQE
e/cx9bDmlLAG+Hy2uI88WySgCc2nOOOWxTUw7Ar3X8Asei6C8Zq1OfMzsCTNep3v
gqnV9LirDHzI5HcCH/2EuPcJ5QJ4jEzLo0UhXGqGObYs3m5GyWT4VkqxcovvosQb
c4bXk5+IMLNEhMQe2PY3A9oBya7myAMD9lEWxFJRWn1WTJSfAgMBAAGjgfUwgfIw
EwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMAwGA1UdEwEB/wQCMAAw
TgYDVR0RBEcwRYIYc3cxMTEzLm5ldHdlcmsuZG9taWpuLm5sghtzcnYtcC1zdzEx
MTMtMDEuaW5mcmEubG9jYWyCDDE3Mi4xNi4xLjE3MjBwBgNVHR8EaTBnMGWgO6A5
hjdodHRwOi8vbmV0d2Vya0NBc2VydmVyLm5ldHdlcmsuZG9taWpuLm5sL25ldHdl
cmtDQTIuY3JsgQIFYKIipCAwHjELMAkGA1UEBhMCTkwxDzANBgNVBAoMBkRvbWlq
bjANBgkqhkiG9w0BAQUFAAOCAQEAp9ljL3+HCYoKa+XRmvdWYtu9CKhf+J61GCgs
Rk4N9x3rFIGVXwNs+z8nHdyQYRVhTrNVZZjjNMgWgrzRjoVUVWXS90nIE8M6kUQM
7wpcfxkjPW1nSdUyaN1thiMeRAesVmNzpnHz8uLk0Mwx58iG67J4SuJpRicTDoQx
269yRkO9Tw9DiqL9nY5I6j+Kw5Tk2cTI6tdtxNQJ/6Qahcrow5XhpR2ljLgmBqih
8f+leuvV2jCoLY90eqZm7aPN8iNvAXqasxAyNgUieVyzlKojZ84C74hOm9V/ShHC
Xoc4wVLvsZopU7y3r/zGeCP1SW82eMOfARkUDQhpoBnYh1kTsQ==
-----END CERTIFICATE-----
Any assistance would be very much appreciated.
#certificate