PDF(1.8 MB) View with Adobe Reader on a variety of devices
ePub(1.2 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(2.7 MB) View on Kindle device or Kindle app on multiple devices
Updated:February 3, 2020
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This objective of this document is to provide the steps to successfully import a certificate on Sx350 and Sx550X series switches using the Graphical User Interface (GUI) and the Command Line Interface (CLI).
One of the issues encountered when importing a certificate on Sx350 and Sx550X switches is that the user faces key header is missing and/or failed to load public key errors. This document will explain how to get past these errors to successfully import a certificate. A certificate is an electronic document that identifies an individual, a server, a company, or other entity and associates that entity with a public key. Certificates are used in a network to provide secure access. Certificates can be self-signed or digitally signed by an external Certificate Authority (CA). A self-signed certificate, as the name indicates, is signed by its own creator. CAs manage certificate requests and issue certificates to participating entities such as hosts, network devices, or users. A CA-signed digital certificate is considered industry standard and more secure.
Applicable Devices and Software Version
SG350 version 22.214.171.124
SG350X version 126.96.36.199
SG350XG version 188.8.131.52
SF350 version 184.108.40.206
SG550X version 220.127.116.11
SF550X version 18.104.22.168
SG550XG version 22.214.171.124
SX550X version 126.96.36.199
You must have a self-signed or Certificate Authority (CA) certificate. Steps for obtaining a self-signed certificate are included in this article. To learn more about CA certificates, click here.
Import using GUI
Log in to the GUI of the switch by entering your Username and Password. Click Log In.
From the Display Mode on the top right side of the GUI, choose Advanced using the drop-down option.
Navigate to Security > SSL Server > SSL Server Authentication.
Select one of the certificates that is Auto Generated. Select the Certificate ID 1 or 2 and click on the Edit button.
To generate a self-signed certificate, on the new pop-up window enable Regenerate RSA Key and enter the following parameters:
You may also create a certificate from a third-party CA.
Now you will be able to see the User Defined certificate under the SSL Server Key Table. Select the newly created certificate and click on Details.
On the pop-up window you will be able to see the Certificate, Public Key and Private Key (Encrypted) details. You may copy those on a separate notepad file. Click Display Sensitive Data as Plaintext.
A pop-up window will open to confirm the display of Private Key as plaintext, click OK.
Now you will be able to see the Private Key in plaintext form. Copy that plaintext output on a notepad file. Click Close.
Select the newly created User Defined certificate and click Import Certificate.
On the new pop-up window, enable Import RSA Key-Pair option and paste the private key (copied in step 9) in plaintext format. Click Apply.
In this example the key word, RSA, is included at the BEGIN and END of the Public Key.
You will see the success notification on the screen. You may close this window and save the configuration on the switch.
The errors discussed pertain to the public key. Normally there are two types of public key formats that are used:
1. RSA Public Key file (PKCS#1): This is specific for RSA keys.
It starts and ends with the tags:
-----BEGIN RSA PUBLIC KEY-----
BASE64 ENCODED DATA
-----END RSA PUBLIC KEY-----
2. Public Key file (PKCS#8): This is a more generic key format that identifies the type of public key and contains the relevant data.
It starts and ends with the tags:
-----BEGIN PUBLIC KEY-----
BASE64 ENCODED DATA
-----END PUBLIC KEY-----
Key header is missing error
Scenario 1: You generated the certificate from a third-party CA. You copied and pasted the Public Key and clicked Apply.
You received the message, Error: Key header is missing. Close the window. A few modifications can be made to make this problem disappear.
To fix this error:
Add the key word, RSA, to the beginning of the Public Key: BEGIN RSA PUBLIC KEY
Add the key word, RSA, to the end of the Public Key: END RSA PUBLIC KEY
Remove the first 32 characters from the key code. The highlighted portion shown below is an example of the first 32 characters.
When you apply the settings, you will not get the Key header is missing error in most cases.
Failed to load public key error
Scenario 2: You generated a certificate on one switch and imported it onto another switch. You copied and pasted the Public Key after removing the first 32 characters and clicked Apply.
You got the Failed to load public key error on the screen.
To fix this error, DO NOT delete the first 32 characters of the public key in this case.
Import using CLI
To import certificate using CLI, enter the following command.