January 2024 note: I received two reports saying that recent firmware versions support importing certificates via the web interface. The described workaround using telnet hasn't been working for years.
This document is provided as-is without any warranty. The author is and will not be responsible for any damages that may occur due to its use.
The management side of the Zyxel's GS1900 Ethernet switch series uses a Linux kernel in combination with a Busybox-based userland. By default only a Web interface is enabled for administration. HTTP over TLS (often called HTTPS) can be enabled, but neither the key nor the certificate can be configured via the web interface. This document describes how to install a custom RSA key and X.509 certificate on a Zyxel GS1900 series switch. The instructions were tested on a GS1900-24 model running firmware version “V2.00(AAHL.2)”.
The caveats of this approach is that the key as well as any passwords have to be transmitted via an unencrypted network connection. As of this writing the author is not aware of any other method, though. It may be sensible to connect directly to the switch rather than via any intermediate devices.
As usual a configuration backup should be made before starting. In case anything goes wrong and all configuration interfaces become unavailable the switch has to be restored to factory defaults.
Enable Telnet and acquire root shell
Jan Tore Morken has documented how to enable the Telnet daemon. I'm reproducing the important steps:
- Log into web interface using web browser
- Navigate to
/cgi-bin/dispatcher.cgi?cmd=538 - Select “enabled” for Telnet and apply the changes
- Connect via Telnet, i.e.
telnet 192.0.2.1, and log in; the username and password are the same as for the web interface - Acquire root shell:
# ping -h;sh${IFS}-a${IFS}telnet
Install RSA key and X.509 certificate via Telnet
The author used a variation of the command shown below to generate a new RSA key with a length of 4096 bits and a self-signed certificate with a validity of one year. The key and certificate should be generated on a separate machine as the version on the switch is very old. Naturally a certificate signed by a certificate authority (CA) may also be used.
$ openssl req -batch -x509 -nodes -newkey rsa:4096 -days 365 \ -keyout switch.key -out switch.pem -subj '/CN=switch.domain.tld'
On the switch the key and certificate are stored in /mnt/ssh/ssl_key.pem and /mnt/ssh/ssl_cert.pem respectively. There are only few programs available in the userland. There is no text editor at all. Instead files have to be written using cat. When the root shell is opened as described before ^D (Ctrl-D; end of file) does not work. Fortunately it can be enabled using stty.
- Enable
^D:# stty icanon
- Write RSA key to a new file:
# cat > /mnt/ssh/ssl_key.pem.new
Now paste the key in PEM format to the terminal and terminatecatwith^D. Verify whether the file has been written in full:# cat /mnt/ssh/ssl_key.pem.new
The contents must start with-----BEGIN PRIVATE KEY-----and end with-----END PRIVATE KEY-----. - Repeat the process for the X.509 certificate:
# cat > /mnt/ssh/ssl_cert.pem.new
Paste the certificate in PEM format to the terminal and terminatecatwith^D. Verify again:# cat /mnt/ssh/ssl_cert.pem.new
The contents must start with-----BEGIN CERTIFICATE-----and end with-----END CERTIFICATE-----. - Once the files have been written they can be moved in place:
# mv /mnt/ssh/ssl_key.pem.new /mnt/ssh/ssl_key.pem && \ mv /mnt/ssh/ssl_cert.pem.new /mnt/ssh/ssl_cert.pem
- Leave root shell using
^Dorexit. Now the configuration shell is active again. - Enter configuration mode:
# configure
- Disable and re-enable HTTPS for web interface:
# no ip https # ip https
- HTTPS should now use the custom key and certificate. It's imperative to ensure everything works as desired before proceeding further.
- Optional: If desired the plaintext HTTP protocol can be disabled once HTTPS works:
# no ip http
- Leave configuration mode:
# exit
- Save configuration to flash storage:
# save