August 26, 2018 at 6:09 pm #370UK SentinelModerator
- Posts 3395
@xxxxxx recently installed an SSL certificate to his RT-AC87U router, and he thought it might be useful to share a tutorial of the whole process. The objective is to get that coveted “green icon” in the address bar showing that you have a valid and secure HTTPS connection to your router.
I use the ASUS dynamic DNS feature to get a public URL to access my router, so my end-goal was to create a trusted certificate for myrouter.asuscomm.com.
Note: If you want a secure connection to your router from ANY random computer, you have no other option than to install a certificate that was issued by an official/public certificate authority like Let’s Encrypt. The downside of free certificates provided by such authorities is that they typically expire after 3 months. Given that AsusWRT does not have a built-in utility for automated renewal of a certificate, you would need to repeat the certificate installation quite frequently. I personally only need to access my router from my own laptop, so for my purposes a self-signed root certificate will do just nicely.
Disclaimer: I did not come up with this procedure. I am just restating (sometimes literally) and organizing information that I found elsewhere, specifically:
– This very useful post about creating a self-signed certificate
– This thread on GitHub
Step 1: Download and install free OpenSSL utility
You can find it here. Install either the 64-bit or 32-bit version depending on your OS version. Install both the 1.02 Light version as well as the 1.1.0e Light version.
Step 2. Create a private root CA key
The first step is to generate a private root key. The example below creates a 2048 bit key:
openssl genrsa -out MyRootCA.key 2048
The standard key sizes today are 1024, 2048, and to a much lesser extent, 4096. Go with 2048, which is what most people use nowadays (4096 is usually overkill and key length is 5 times more computationally intensive than 2048, and people are transitioning away from 1024). Obviously you should keep this private key very private.
You can optionally password-protect the key by adding -des3:
openssl genrsa -des3 -out MyRootCA.key 2048
If you go this optional route, you will be prompted to provide a password. From then on, you will be challenged for this password whenever you use the key.
Step 3. Self-sign the private root certificate
Execute this command:
openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem
You can pick your own name for “MyRootCA” and specify any number of days (e.g. 3652 for 10 years). This will start an interactive script, which will ask you for various bits of information. Fill it out as you see fit:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:YourCountry
Locality Name (eg, city) :YourCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YourName Root CA
Organizational Unit Name (eg, section) :IT
Common Name (eg, YOUR name) :YourName Root CA
Email Address :firstname.lastname@example.org
Once done, this will create a signed SSL root certificate called MyRootCA.pem, valid for the specified number of days.
Step 4. Install root certificate into one or more workstations
For laptops/desktops/workstations, you will need to install the root certificate into your trusted certificate repository. Some browsers – such as Chrome, Opera and IE – use the default operating system repository. Issue the following commands to install the root certificate:
certutil –addstore -enterprise –f “Root”< pathtocertificatefile>
This will add the certificate to the Trusted Root Certification Authorities store. If you want to add an Intermediate Certification Authority, replace “Root” with “CA”. To add to your Personal store, change it to “My”.
The above command adds the certificate to the Local Computer store. To add to the User store remove the -enterprise from the command line:
certutil –addstore –f “Root”< pathtocertificatefile>
The -f in the command simply forces an overwrite in case the certificate already exists in the store.
For installing the certificate in FireFox on Windows, go to Options> Advanced> Certificates> View Certificates, select the “Authorities” tab and Import the MyRootCA.pem file.
Step 5. Create a certificate for your router
This example assumes that your router’s hostname is router.asuscomm.com. Generate a private key with the following command:
openssl genrsa -out router.asuscomm.com.key 2048
Once the key is created, you will generate a “certificate signing request”:
openssl req -new -key router.asuscomm.com.key -out router.asuscomm.com.csr
You will be asked various questions (Country, State/Province, etc.). Answer them how you see fit. The important question to answer though is common-name:
Common Name (eg, YOUR name) : router.asuscomm.com
Whatever you see in the address field in your browser when you go to your device must be what you put under common name, even if it is an IPv4 or IPv6 address. If it does not match, the certificate will not validate correctly and you will get the “cannot verify authenticity” error.
The next step is to sign the CSR, which requires the CA root key.
openssl x509 -req -in router.asuscomm.com.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out router.asuscomm.com.crt -days 500 -sha256
This creates a signed certificate called router.asuscomm.com.crt, which is valid for 500 days (you can adjust the number of days of course, although it does not make sense to have a certificate that lasts longer than the root certificate).
Step 6. Install certificate on router
Log into your router via telnet or SSH, then execute these commands:
#cleanup of existing pem files
#cleanup of existing certificate (twice)
nvram set https_crt_save=0
nvram unset https_crt_file
nvram unset https_crt_file
#install new certificate
nvram set https_crt_save=1
#copy/paste your .crt and .key content into pem files
#save via 2x CTRL-D
cat > cert.pem
cat > key.pem
#restart and generate cert file
nvram get https_crt_file
That’s it, you are done. Optional: install your root certificate on any other computer from which you want to get a secure connection to your router
In a completely sane world, madness is the only freedom (J.G.Ballard).
- You must be logged in to reply to this topic.