Configuring a custom HTTPS certificate on a Netgear Switch (e.g. GS724T)

Solution 1

First, this should work on any Netgear firmware with a similar UI, but for reference, this is a GS724Tv4 with firmware 6.3.0.9.

I’m going to assume existing knowledge of how to create a root CA, intermediate CA, and create and sign certificates (if not, see e.g. OpenSSL Certificate Authority). We’ll need the following:

• Root CA certificate (root.cert.pem)
• Intermediate CA certificate (intermediate.cert.pem)
• Server certificate with commonname for the switch (switch.cert.pem)
• Server key corresponding to the server certificate (switch.key.pem)
• DH 1024-bit params, perhaps 2048-bit would be better (dhparams.pem)

Create two files:

• The cert chain: cat root.cert.pem intermediate.cert.pem > ca-chain.pem
• The certificate + key: cat switch.cert.pem switch.key.pem > switch-combined.pem

In the switch’s web UI:

1. Security → Access → HTTPS → HTTPS Configuration → Set “HTTPS Admin Mode” to “Disable”, Apply.
2. Security → Access → HTTPS → Certificate Management → Set “Delete Certificates”, Apply.
3. Maintenance → Download → HTTP File Download
   1. Select “SSL DH Strong Encryption Parameter PEM File”, and choose dhparams.pem, Apply.
   2. Select “SSL Trusted Root Certificate PEM File”, and choose ca-chain.pem, Apply.
   3. Select “SSL Server Certificate PEM File”, and choose switch-combined.pem, Apply.
4. Security → Access → HTTPS → Certificate Management → Verify indicates “Certificate Present: Yes”.
5. Security → Access → HTTPS → HTTPS Configuration → Set “HTTPS Admin Mode” to “Enable”, Apply.

Now you should have working HTTPS with your CA-signed cert.

Solution 2

Do not try to use a 2048 bit DH Strong encryption parameter as it prevented HTTPS Admin Mode from working. The certificate management tab would show that a certificate was present.

However, the GUI interface would give errors about being unable to find some missing functions when attempting to enable HTTPS Admin Mode and while the GUI would show that it was enabled, nothing would listen on the assigned port.

Disabling the HTTPS Admin Mode, deleting the certificates and following the certificate loading sequence above with a 1024-bit DH strong encryption parameter got it to work.

Solution 3

The GS308Tv1 with firmware 1.0.0.12 is different again.

• The "SSL Trusted Root Certificate PEM File" should contain the Server Certificate only.

• The "SSL Server Certificate PEM File" should contain the Intermediate Certificate (optional) followed by the Server Private Key.

If you repeat the Server Certificate in the second file then it will be duplicated in the TLS connection, which is invalid (but still works for self-signed certificates). The Root Certificate should not be uploaded to the switch.

• The "SSL DH Weak Encryption Parameter PEM File" expects 512 bits.
• The "SSL DH Strong Encryption Parameter PEM File" expects 1024 bits.

This switch supports TLSv1.2 and will accept a 4096-bit RSA key as well as the SHA512 signature algorithm (it's just running Linux/OpenSSL/Lighttpd).

I recommend using a 2048-bit RSA key (the same as the automatically generated self-signed certificate) because 4096-bit RSA is 3 times slower to connect and may degrade the performance of the switch.

Related videos on Youtube

11 : 34

How to setup Vlans on a Netgear Switch GS724T

TheComputerTechie

171

11 : 04

vlan netgear managed switch gs724TP setup for Aas Technology

Asa Technology

45

20 : 49

vlan setup - netgear managed switch setup - gs724t (tutorial)

MyPc Support

41

10 : 09

How to Configure Multiple NETGEAR Switches Without Registering | NETGEAR Business

NETGEAR

16

03 : 08

DevOps & SysAdmins: Configuring a custom HTTPS certificate on a Netgear Switch (e.g. GS724T)

Roel Van de Paar

2

08 : 26

Netgear Managed Switch Setup - GS724T - Asa Technologybd

Asa Technology

2

Author by

Andrew Marshall

The question of whether a computer can think is no more interesting than the question of whether a submarine can swim. — E. W. Dijkstra

Updated on September 18, 2022