Router Certificate > “Enable full trust for root certificate”

[JTnola]

Please, can anyone point me to a resource that explains what this, (“enable full trust for root certificate”), does? Thank you.

Edit: this question may be specific to iOS; I had installed the certificate a long time ago and it functions as expected/designed — but recently I saw this (new?) additional setting, and can’t seem to find an answer about it …

 

[JTnola]

View attachment 44914

Please, can anyone point me to a resource that explains what this, (“enable full trust for root certificate”), does? Thank you.

(NB: Tapping “learn more about trusted certification” doesn’t provide much of an answer, or at least, not for someone from my limited perspective.)

 

[Justinh]

I believe your app/phone is asking if you want to trust and accept the router's self-signed certificate. You'll have to do this if you want to proceed with HTTPS.

 

[Tech9]

HTTPS access to GUI is not needed on a local network with all own devices.

 

[DJones]

I believe your app/phone is asking if you want to trust and accept the router's self-signed certificate. You'll have to do this if you want to proceed with HTTPS.

This is correct it is simply to avoid needing to see the self signed cert warning for that web page in your browser. Using HTTPS is fine on local network but yes unnecessary unless you have open guest networks with randoms accessing it. And if that’s the case you’d want more then just a self signed cert.

HTTPS is more useful for if you allow your router to be seen over wan for remote interface access. It prevents Man in the middle attacks, however does nothing to protect your router from somebody attacking the port over your host name or direct IP address. If you wish to access your router remotely I would suggest using a VPN and HTTPS self signed cert. This best protects your router overall because the host address will still reject over wan (if disabled). The VPN tunnels into your local network and anyone trying to get access would need your vpn keys. HTTPS self signed cert is double encryption when using a vpn tunnel, but hey what does it hurt.

If you use a Dynamic IP address you’ll still need a host name from no-ip or some other provider; it’s needed so your router and the provider knows when your IP address changes. I would also suggest running skynet just to avoid port scanners and such from freely targeting your router.

 

[drinkingbird]

(NB: Tapping “learn more about trusted certification” doesn’t provide much of an answer, or at least, not for someone from my limited perspective.)

Others have given the correct answers but long story short, your phone (or your PC, tablet, etc) all have a list of common trusted "root" certification authorities. Verisign, Digicert, and many others are in there. Asus is not one of them. By toggling it on, you are simply preventing the warning of "this site is not secure" when you visit the page via HTTPS, at least when that error is due to the fact that router.asus.com is not a known authority.

It does not hurt anything to trust the cert, since you know the device and know it is not malicious. The "root" just means that you will trust any certificate issued by router.asus.com as a valid certificate authority. I suppose some malicious site on the internet could use router.asus.com as their certification authority in hopes that people will have trusted it and will thus trust their cert. Seems pretty far fetched and unlikely though. You could avoid that by changing your router's domain to something else like "home.net" but that could cause issues if you ever tried to visit a site on the internet that has "home.net" as its domain. Maybe "home.zz" since .zz is not a valid extension but will work for local stuff. That's getting a bit paranoid though.

Basically any self signed certificate will have this same limitation - meaning someone did not pay for a certificate from one of the "big guys" and instead generated their own. Not something you would want to enable to some random internet site, but on a device you own/manage/trust it is fine.

Personally, I don't bother adding it to my trusted roots, if I visit it via HTTPS, I just click on the "proceed anyway". However stuff I have that uses my own domain that I own, I trust that root cert.

I believe you can get a free "letsencrypt" cert for access to the router, and they do use a trusted root authority for their certs. But probably not worth the effort unless you are accessing it from outside frequently (which isn't a good idea anyway without using a VPN).

 

[JTnola]

Hey yall thank you but I guess this must be an Uber specific iOS question. I installed the certificate forever ago, and Im familiar with that process. Haven’t had an issue with the warning screen or whatnot and we only connect/allow connection by HTTPS

but recently I saw this extra/added option that I had never noticed before “full trust.”

I do appreciate everyone’s thorough replies just the same. Very generous of yall. Thank you.

 

[XIII]

Trust manually installed certificate profiles in iOS, iPadOS and visionOS – Apple Support (UK)

If you manually install a profile that contains a certificate payload in iOS and iPadOS, that certificate isn't trusted for SSL automatically. Find out how to trust an installed certificate profile manually.

support.apple.com

 

[Justinh]

but recently I saw this extra/added option that I had never noticed before “full trust.”

Probably something updated in iOS or your app that triggered the prompt and shows with new verbiage? I think I even have to accept the cert upon each router firmware update, if I recall correctly.