If you operate a Netgear switch in an environment that is subject to compliance requirements such as PCI or HIPAA, you are probably doing vulnerability scans, and the HTTP management interface of your switches will generate medium vulnerabilities (at least from Nessus):
- SSL Self-Signed Certificate
- SSL Certificate Cannot Be Trusted
- SSL Certificate Expiry
It IS possible to use signed certificates to secure the HTTPS interface on a Netgear switch, but the process to do so is insanely obscure. I do not know how someone had time to figure this out! Apparently, even Netgear tech support didn’t have any idea.
Step 1: Prepare SSL/TLS Certificate Files
The descent into madness begins here. The M4200/4300 requires exactly TWO files in .pem format:
First PEM File
The first file must include the PRIVATE KEY, the SERVER’s certificate, and the CHAIN or BUNDLE certificates, in that specific order. This is the only time I have ever seen a web server require the private key in the same file as certificates. Example:
-----BEGIN RSA PRIVATE KEY----- the private key goes here -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- your server/domain's certificate goes here -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- chain cert 1 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- chain cert 2 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- possible additional chain certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- possible additional chain certificates -----END CERTIFICATE-----
Second PEM File
The second PEM file must contain the Certificate Authority’s (CA’s) root certificate. You will probably have to download this file from the CA, since it is not usually included in the download bundle. For example, for a GoDaddy cert, go to https://ssl-ccp.godaddy.com/repository and get the appropriate root cert (for me, gdroot-g2.crt).
Uploading SSL/TLS Certificates to the Switch
First, make sure that HTTPS is disabled.
The process to get these two files onto the switch via the web interface is also crazy. I don’t recommend using TFTP at all, because it has ZERO security. In the HTTP interface, go to the Maintenance tab, then select Upgrade. From the left menu, select “HTTP File Upgrade.” From the “File Type” dropdown, select “SSL Server Certificate PEM File.” Click “Browse” and select the first file. Then, scroll all the way over to the right, and click “Apply.”
From the dropdown, select “SSL Trusted Root Certificate PEM File,” and select the CA root PEM file. Click “Apply” again.
Go to the Security tab and select the Access sub-tab. Select HTTPS->Certificate Management from the left menu. If everything has gone right, you will see “Yes” just to the right of “Certificate Present.” Enable the HTTPS interface, and navigate to the switch using the domain covered by the SSL certificate.
Do NOT disable HTTP until you are sure HTTPS is working correctly! Then, disable HTTP access.