Generate SSL Certificate for Network Device (Switch/Appliance)
Need some help figuring out what kind of certificate to generate for some HP Procurve switches. In the past we've just generated a self-signed certificate and were able to manage them via a browser no problem. Now most browsers dont like these kind of certificates.
We tried generating a cert but it requires a host and domain name. coreswitch.domain.com
We browse to these devices via https://xxx.xxx.xxx.xxx so the cert is valid but doesn't match the address we're browsing to and we get a certificate warning.
Is there a way to base it off the IP address of the device? Or do i need to create a dns entry for these devices?
We tried generating a cert but it requires a host and domain name. coreswitch.domain.com
We browse to these devices via https://xxx.xxx.xxx.xxx so the cert is valid but doesn't match the address we're browsing to and we get a certificate warning.
Is there a way to base it off the IP address of the device? Or do i need to create a dns entry for these devices?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
you can base it off the ip - just put the ip in the CN field - or if you want to get fancy, you can use a Subject Alternative Name (SAN) certificate, and put in more than one target.
assuming XCA (because I do tend to assume that :D) you would create a CA as usual, and when creating the server certificate, on the Extensions tab, click the "edit" next to Subject Alternative Name, and ADD there a DNS line (with the fully distinguished name) AND an IP line (with the IP address) - there is no limit on how many you can add, so feel free to add more, to cover more than one device.
assuming XCA (because I do tend to assume that :D) you would create a CA as usual, and when creating the server certificate, on the Extensions tab, click the "edit" next to Subject Alternative Name, and ADD there a DNS line (with the fully distinguished name) AND an IP line (with the IP address) - there is no limit on how many you can add, so feel free to add more, to cover more than one device.
cool. it isn't that hard a process; if you are doing a two level (CA and server certs) you need the CA cert in the browser to verify the server cert; XCA can do SAN as a self-signed, but as you say, browsers tend to complain a bit about those.
If you have any specific questions, go ahead and post them here :D
If you have any specific questions, go ahead and post them here :D
Premium Content
You need an Expert Office subscription to comment.Start Free Trial