Create and install self-signed SSL Certificate and Root CA

Home Forums Wireless Routers & Modems … ASUS Create and install self-signed SSL Certificate and Root CA

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #370
    UK Sentinel
    Moderator
    • Posts 3017
    • Skipper

    @xxxxxx recently installed an SSL certificate to his RT-AC87U router, and he thought it might be useful to share a tutorial of the whole process.  The objective is to get that coveted “green icon” in the address bar showing that you have a valid and secure HTTPS connection to your router.

    I use the ASUS dynamic DNS feature to get a public URL to access my router, so my end-goal was to create a trusted certificate for myrouter.asuscomm.com.

    Note: If you want a secure connection to your router from ANY random computer, you have no other option than to install a certificate that was issued by an official/public certificate authority like Let’s Encrypt. The downside of free certificates provided by such authorities is that they typically expire after 3 months. Given that AsusWRT does not have a built-in utility for automated renewal of a certificate, you would need to repeat the certificate installation quite frequently. I personally only need to access my router from my own laptop, so for my purposes a self-signed root certificate will do just nicely.

    Disclaimer: I did not come up with this procedure. I am just restating (sometimes literally) and organizing information that I found elsewhere, specifically:
    –         This very useful post about creating a self-signed certificate
    –         This thread on GitHub

    Step 1: Download and install free OpenSSL utility
    You can find it here. Install either the 64-bit or 32-bit version depending on your OS version. Install both the 1.02 Light version as well as the 1.1.0e Light version.

    Step 2. Create a private root CA key
    The first step is to generate a private root key. The example below creates a 2048 bit key:
    openssl genrsa -out MyRootCA.key 2048
    The standard key sizes today are 1024, 2048, and to a much lesser extent, 4096. Go with 2048, which is what most people use nowadays (4096 is usually overkill and key length is 5 times more computationally intensive than 2048, and people are transitioning away from 1024). Obviously you should keep this private key very private.
    You can optionally password-protect the key by adding -des3:
    openssl genrsa -des3 -out MyRootCA.key 2048
    If you go this optional route, you will be prompted to provide a password. From then on, you will be challenged for this password whenever you use the key.

    Step 3. Self-sign the private root certificate
    Execute this command:
    openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem
    You can pick your own name for “MyRootCA” and specify any number of days (e.g. 3652 for 10 years). This will start an interactive script, which will ask you for various bits of information. Fill it out as you see fit:
    You are about to be asked to enter information that will be incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:YourCountry
    Locality Name (eg, city) []:YourCity
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:YourName Root CA
    Organizational Unit Name (eg, section) []:IT
    Common Name (eg, YOUR name) []:YourName Root CA
    Email Address []:your@email.com

    Once done, this will create a signed SSL root certificate called MyRootCA.pem, valid for the specified number of days.

    Step 4. Install root certificate into one or more workstations
    For laptops/desktops/workstations, you will need to install the root certificate into your trusted certificate repository. Some browsers – such as Chrome, Opera and IE – use the default operating system repository.  Issue the following commands to install the root certificate:
    certutil –addstore -enterprise –f “Root”< pathtocertificatefile>
    This will add the certificate to the Trusted Root Certification Authorities store. If you want to add an Intermediate Certification Authority, replace “Root” with “CA”. To add to your Personal store, change it to “My”.

    The above command adds the certificate to the Local Computer store. To add to the User store remove the -enterprise from the command line:
    certutil –addstore –f “Root”< pathtocertificatefile>
    The -f in the command simply forces an overwrite in case the certificate already exists in the store.

    For installing the certificate in FireFox on Windows, go to Options> Advanced> Certificates> View Certificates, select the “Authorities” tab and Import the MyRootCA.pem file.

    Step 5. Create a certificate for your router
    This example assumes that your router’s hostname is router.asuscomm.com. Generate a private key with the following command:
    openssl genrsa -out router.asuscomm.com.key 2048
    Once the key is created, you will generate a “certificate signing request”:
    openssl req -new -key router.asuscomm.com.key -out router.asuscomm.com.csr
    You will be asked various questions (Country, State/Province, etc.). Answer them how you see fit. The important question to answer though is common-name:

    Common Name (eg, YOUR name) []: router.asuscomm.com

    Whatever you see in the address field in your browser when you go to your device must be what you put under common name, even if it is an IPv4 or IPv6 address. If it does not match, the certificate will not validate correctly and you will get the “cannot verify authenticity” error.

    The next step is to sign the CSR, which requires the CA root key.

    openssl x509 -req -in router.asuscomm.com.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out router.asuscomm.com.crt -days 500 -sha256
    This creates a signed certificate called router.asuscomm.com.crt, which is valid for 500 days (you can adjust the number of days of course, although it does not make sense to have a certificate that lasts longer than the root certificate).

    Step 6. Install certificate on router
    Log into your router via telnet or SSH, then execute these commands:
    #cleanup of existing pem files
    cd /etc
    rm *.pem

    #cleanup of existing certificate (twice)
    nvram set https_crt_save=0
    nvram unset https_crt_file
    service restart_httpd
    nvram unset https_crt_file
    service restart_httpd
    rm *.pem

    #install new certificate
    nvram set https_crt_save=1

    #copy/paste your .crt and .key content into pem files
    #save via 2x CTRL-D
    cat > cert.pem
    cat > key.pem

    #restart and generate cert file
    service restart_httpd
    nvram get https_crt_file

    #done
    reboot

    That’s it, you are done. Optional: install your root certificate on any other computer from which you want to get a secure connection to your router

    UK Sentinel

    In a completely sane world, madness is the only freedom (J.G.Ballard).

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.
UKTechHub.com