What's new

CA.CRT filed is limited to 3499 bytes

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

siena

Occasional Visitor
Any chance of this increasing?
If not, can I do it myself?
Many VPN providers are now using 2 certificates in ca.crt and they do not fit the present field. Keep getting TLS handshake error, as the second certificate in cut-off.

Anyone knows what is the original field size on asuswrt firmware and spare me the headache of having to install it to see?
 
Anyone knows what is the original field size on asuswrt firmware and spare me the headache of having to install it to see?
According to the text above the fields:
Limit: 3999 characters per field
I think it used to be 2999 in Asus 378, but that they raised it to 3999 in their 380 release. The same value is in release/src/router/shared/defaults.c.
 
Last edited:
Any chance of this increasing?

Will be difficult, as values are hardcoded for some router models.

Try using the Extra field to put the second certificate (which is often an intermediate certificate).
 
Will be difficult, as values are hardcoded for some router models.

Try using the Extra field to put the second certificate (which is often an intermediate certificate).
Thank you for replying. I tried that and tried connecting, after it fails with the same error, I open the ca page and the second certificate is no longer in the extra field, even though I had saved the page.
 
According to the text above the fields:

I think it used to be 2999 in Asus 378, but that they raised it to 3999 in their 380 release. The same value is in release/src/router/shared/defaults.c.
Thank you for your reply. This is a big help.
 
Thank you for replying. I tried that and tried connecting, after it fails with the same error, I open the ca page and the second certificate is no longer in the extra field, even though I had saved the page.

What firmware version? I believe I fixed that issue some time ago.
 
What firmware version? I believe I fixed that issue some time ago.

380.69_2
on RT-AC87U the provider not wanting to reduce the ca.crt file size, is advising to SSH into the router and copy the ca.crt file (which is 3821 characters with spaces) to jffs directly. Do you think this will work or are they just wasting my time, since I have noticed that they do not differentiate between asuswrt and asuswrt-Merlin or do not understand the difference? Should I enable JFFS custom scripts and config in order to do that? The configuration on their website is specifically for auswrt-Merlin but they do not seem to be very aware that it is different from asuswrt. I do not want to brick my router by trying.
 
Last edited:
on RT-AC87U the provider not wanting to reduce the ca.crt file size, is advising to SSH into the router and copy the ca.crt file (which is 3821 characters with spaces) to jffs directly. Do you think this will work or are they just wasting my time, since I have noticed that they do not differentiate between asuswrt and asuswrt-Merlin or do not understand the difference?

It should work, however do not make any change to that client's configuration on the webui, or it will truncate the certificate, requiring you to copy it again to the appropriate JFFS location.

Note that I haven't tested this.
 
It should work, however do not make any change to that client's configuration on the webui, or it will truncate the certificate, requiring you to copy it again to the appropriate JFFS location.

Note that I haven't tested this.
RT-AC87U- 380.69_2
These are the instructions I received:
"quote"
1) login to router via SSH
2) find the folder /jffs/openvpn/ ; then type command "vi vpn_crt_client1_ca" ( if client2 is used, vpn_crt_client2_ca )
3) paste in key larger than 3499 characters and save
Try connecting after that.
"unquote"
if I press enter after "vi vpn_crt_client1_ca" the old cutoff certificate is shown, even though I have deleted it first.
if I put a space and then paste the certificate, I get -------------------END------------- not found.
On another note: "Disable Asusnat tunnel" turns itself off every now and then. I have not noticed a pattern, but every time I remember to have a look, sure enough it is off.
 
Use Winscp to copy the files there instead, will be far easier than learning to use vi (which is a nightmare to use for a first-time user).

Or use nano instead to edit the files - they recommend using vi because the stock firmware doesn't have nano.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top