Own certificate on GS1920 or GS1900-10HP

elagelag Member Posts: 6  Freshman Member
I have 2 GS1920-24 switches and one GS1900-10HP. I would like to install own certificates on these as HTS is enabled on the domain under which these switches reside. How can I install my own certificates so I don't get locked out as the default self signed certificates are not accepted?


  • Zyxel_JasonZyxel_Jason Zyxel Official Agent Posts: 102  mod
    Hi @elag,

    Welcome to Zyxel community!

    For current design, our switch doesn't support to install certificate on it.
    Why do you need to install your certificate on the switch? Did you already got locked out because of the switches?
    May you also explain HTS in full name?

  • CrazyTacosCrazyTacos Member Posts: 53  Ally Member
    Normally, an untrusted certificate just causes an additionally dialogue when accessing with HTTPS. 
    Below is an example from Google Chrome:

    You can still access the device by clicking the "Proceed to X.X.X.X (unsafe)".

    Were you able to create a network policy that forces clients to only HTTPS access trusted certificates?
  • elagelag Member Posts: 6  Freshman Member
    Re. HSTS: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security (sorry I made a typo in my original mail).

    An excerpt from that page:

    When a web application issues HSTS Policy to user agents, conformant user agents behave as follows:[11]

    1. Automatically turn any insecure links referencing the web application into secure links. (For instance, http://example.com/some/page/ will be modified to https://example.com/some/page/ before accessing the server.)
    2. If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted), show an error message and do not allow the user to access the web application.[12]

    I have enabled this on my web server (https://www.fazant.net) that also reacts on https://fazant.net.
    This actually results in  hsts being applied to all hosts and subdomains under fazant.net.
    I accessed my fazant.net domain using https once.
    So if I now try to access my switches over https, firefox denies me access without the possibility for the override (as secure https is required for the whole domain, so no self signed certificates as per 2 above).
    Http access to anything under the fazant.net domain is automatically mapped to https, again without override (as per 1 above).
    This could  easily be  remedied when I could load own certificates on the switches (which is more reliable anyhow).
    Is the option for adding certificates planned for the firmware of these switches? Not being able to use proper signed certificates should be possible on professional gear...

  • Zyxel_JasonZyxel_Jason Zyxel Official Agent Posts: 102  mod
    Hi @elag,

    The picture below is my local test in my office to use Firefox accessing GS1920 via HTTPS:
    You may follow step 1 and 2 to add the exception in your Firefox browser.

    I have found the page about the error message for you: https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean

    An excerpt from the page:
    "Self-signed certificates make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly and you may bypass the warning for such sites."

    May you add exception in your Firefox browser to let you access the switch under your fazant.net domain?

  • Zyxel_JasonZyxel_Jason Zyxel Official Agent Posts: 102  mod
    Hi @elag,

    Just want to follow up on this topic.
    Do you add exception in your browser to access the switch under your network domain successfully?
    Keep us posted to get more support for you.


  • elagelag Member Posts: 6  Freshman Member
    Yes, I did add exceptions for the switches in the browser. That works fine and I can contact the switches.
    But as soon as I visit the website via the main domain of where the switches are located, the browser ignores the exception and simply denies me access. Only when I manually remove the HTS setting for the domain (for firefox in SiteSecurityServiceState.txt in  the default profile) the browser allows access again.  So I know how to get access by hacking the firefox profile outside the browser. I can probably find some other hacks to completely disable hsts, but I am not happy having to disable security features in the browser.
    I have for now removed the directive to include subdomains from the server settings on the main domain. That should solve it for now. Having the possibility to use own certificates on the switches remains my only wish for the zyxel switches.

    Thanks for your interest

  • Zyxel_JasonZyxel_Jason Zyxel Official Agent Posts: 102  mod
    Hi @elag,

    I will open a new discussion in the Idea section.
    The new feature for importing own certificate in Zyxel switch will be in our future route map.

    One more thing I need to tell you, this feature will be added in Zyxel switch except GS1900 because it is an entry level managed switch.

    Hope it helps.
  • elagelag Member Posts: 6  Freshman Member
    Thanks for doing this Jason, much appreciated. I understand the limitation for the GS9100
    This certainly helps!
  • PassainPassain Member Posts: 1  Freshman Member
    Hi,  will this happen any time soon?
  • Zyxel_JasonZyxel_Jason Zyxel Official Agent Posts: 102  mod
    Hi @Passain,

    The feature " Import own certificate in Zyxel switch " is already on our future queue list, so it will be included in the future firmware release.

    Hope it help.
Sign In to comment.