SSL Certificates for a Nortel Contivity 1010

[TheKingSlacker]

Hello all,

I've wasted enough time on try this on my own.. I figure it's time to ask the forums.

I'm trying to create Self-signed certifcates using OpenSSL for a Contivity 1010. It appears that I need to have Cert installed so that I can connect via Https on public interface. The unit is running ver 6_05.

When every I try to import the "Trusted CA Cert" get error message like "BER encoding error" or "invalid RSA Key"

I'm sure that I'm missing something simple.. Any help would be great!

TIA

TheKing

[Michael McNamara]

You need to-do a few things... first you need to generate a CSR request from the C1010, then you need to sign that request with a certificate authority (I just use a local installation of OpenSSL), then you need to install both the trusted root CA and the signed certificate into the C1010. Once you've done that you can associate the certificate to the management interface from Services -> SSL TLS.

Before you start anything make sure that the date/time are set correctly on the C1010 along with the server where you'll be signing the certificates. With the date/time set correctly you can proceed.

When you generate the CSR request make sure that you select the "Generate OpenSSL CA compatible request" option.

When you import the trusted root CA make sure that it's in a PKCS#7 Base-64 format and make sure to un-select the option "Key Usage Extension Required". After you have the trusted root CA installed you can install the signed certificate.

Good Luck!

[TheKingSlacker]

I guess.. I'm clueless on how to successful create the necessary certs with OpenSSL. I'm ready chuck that box out the window. I can't even seem to even get the trusted CA certifcate generated that the Contivity will take..

Here's the commands that I used used to try to create the cert:

openssl req -config openssl.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 3650

Then to convert it to PKCS7:

openssl crl2pkcs7 -nocrl -certfile certs/myca.crt -outform DER -out certs/myca.p7c

Then when I try to import it on the contivity, I get "RSA: Invalid input data" error message.

I can't believe how much time I've wasted on something that should be so simple..

Can someone spare a brother some openssl commands..

TIA ,

TheKing

[Michael McNamara]

Hahaha... sorry... no need to throw the box out the window...

How have you setup OpenSSL? Are you using the Makefile?

You spoke above about making the cert? Unless you are talking about initializing the root CA, you don't need to make any certs. You just need to import the root-ca.pem file into the C1010, you need to generate a CSR from the C1010, sign it with the CA and then import the signed CSR back into the C1010.

Have a look here for information on how to setup your CA on a Linux server. I created a directory in /usr/local/ca and I work from there. Assuming you have all the OpenSSL software/packages installed you should be able to just perform a "make init" to build the initial root CA. Then just place the CSR files in the directory and issue a "make sign" to sign the certificates, you can find the newly signed certificates in the same directory with a .cert designation.

Here's the command the Makefile uses to generate the root CA certificate;

  # NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher
  @openssl req -nodes -config openssl.cnf -days 3650 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM


Good Luck!