User-provided SSL certificate for webui

[Goran]

Hi,
I need if someone can guide me step by step to get this working. I've allready searched forum and tried following:
1. I have my own domain certificate files by Letsencrypt export function (cert.pem, chain.pem, privkey.pem)
2. I renamed privkey.pem to key.pem and copied it together with cert.pem to /jffs/ssl
3. run service restart_httpd

system settings:

I can see my certificate and domain in view current certificate.

But Safari, Chrome or Firefox reports "not secure" even certificate info in Chrome says it is OK.

I can reach my domain from WAN (webserver with certificate on NAS behind router) withouth any issue - certificate is accepted and connection is secured.

Tnx in advance.

 

[RMerlin]

Unless the certificate is emitted to 192.168.100.1 (which it won't be), it will always generate a security alert as the certificate does not match the address you visit.

The address used in the webui must match that in your certificate.

 

[Goran]

Doesn't "certificate subject alternative names" include 192.168.100.1?

Is it possible to have on local network (e.g. 192.168.100.1) secure connection in browsers? Doesn't need to be my domain - just to avoid browser warnings.

 

[sfx2000]

Unless the certificate is emitted to 192.168.100.1 (which it won't be), it will always generate a security alert as the certificate does not match the address you visit.

The address used in the webui must match that in your certificate.

And I'll add that creating a cert for 192.168.100.1 is not a good idea - on many cable modems, that's the local debug/admin interface on the modem....

 

[florid]

you can create a dnsmasq server entry to resolve YOURDOMAIN.com to 192.168.100.1 internally.

 

[RMerlin]

Doesn't "certificate subject alternative names" include 192.168.100.1?

Is it possible to have on local network (e.g. 192.168.100.1) secure connection in browsers? Doesn't need to be my domain - just to avoid browser warnings.

We're talking about a Let's Encrypt certificate here, not a self-signed one. It won't have your private IP as a SAN.

Sent from my P027 using Tapatalk

 

[nasville]

sorry for sneaking in the thread, but I think it would be nice to know how to avoid the browser warning only. Is it mandatory to create your own certificate (don't even know where to start from) or is there an easier way? Many thanks

 

[RMerlin]

The only way to completely avoid the warning is to own a domain name, get a certificate issued by a known certificate authority for that domain, and use that domain whenever accessing your router.

Just add the exception to your browser, and ignore the "not secure" warning. This is your own router, not a public website. You'll be the only person accessing it, so it's not a big deal. Despite the warning, the data remains encrypted and secure.

 

[nasville]

get a certificate issued by a known certificate authority for that domain, and use that domain whenever accessing your router.

so sorry to reiterate, but so a "self signed" certificate won't work, right?

 

[XIII]

so sorry to reiterate, but so a "self signed" certificate won't work, right?

For me it does work: https://www.snbforums.com/threads/b...eta-is-now-available.39854/page-4#post-332867

 

[RMerlin]

so sorry to reiterate, but so a "self signed" certificate won't work, right?

Depends what you mean by "work". Yes, it will work, your data will be encrypted, but your browser will still display "Not secure".

 

[truglodite]

My chrome browser (up to date) gets a green padlock when I have the os trust the built in router generated cert (/jffs/ssl/cert.pem... rename to router.crt for Windows to use it). The generated cert has the router local ip as a CN, and the San includes the ip, router.asus.com, etc.

What I am interested in though (failed thus far) is using openssl to make my own certs for the router webui via ubuntu. I read up on modified openssl.cnf files (@altname section etc) but can't seem to conjure up a config that works the same as the router generated pair (maybe I'm not properly configuring info somewhere, or my commands are off). I have tried all kinds of one liners, 2 liners, various configs... I get v3 certs with ip+router.asus.com in sans... no worky. Is there an openssl config file on the router I can reference off of?

I guess the router gen certs are secure, but I'd like to learn more about ssl by experimenting on this.

Thanks,
Kev

 

[RMerlin]

My chrome browser (up to date) gets a green padlock when I have the os trust the built in router generated cert (/jffs/ssl/cert.pem... rename to router.crt for Windows to use it). The generated cert has the router local ip as a CN, and the San includes the ip, router.asus.com, etc.

What I am interested in though (failed thus far) is using openssl to make my own certs for the router webui via ubuntu. I read up on modified openssl.cnf files (@altname section etc) but can't seem to conjure up a config that works the same as the router generated pair (maybe I'm not properly configuring info somewhere, or my commands are off). I have tried all kinds of one liners, 2 liners, various configs... I get v3 certs with ip+router.asus.com in sans... no worky. Is there an openssl config file on the router I can reference off of?

I guess the router gen certs are secure, but I'd like to learn more about ssl by experimenting on this.

Thanks,
Kev

Look at the content of /usr/sbin/gencert.sh on your router - the OpenSSL commands I use are near the end of the script.

 

[truglodite]

Thanks RMerlin!

I went over the gencert.sh and openssl.cnf file on my router, and derived a config that does the same thing on my Linux box. I learned something new, got to use different parameters (like 4096bit), and perhaps have keys with decent entropy (I read that some embedded uC's, ie router based Linux, may be insufficient in this regard). Since I endured many failures leading up to this (made all sorts of certs in unthinkable ways and still had a red padlock), I added a bunch of newb friendly comments & commands to my fairly standard config for sharing. Hopefully this saves a newb from pain in achieving the green admin ui padlock they're after:

# Asus WRT Merlin HTTPs WebUI Cert... manual green padlock (July 2017)
#
# Your Merlin powered router can get a green padlock by simply using the 'generate new cert'
# option, and copy/trusting the cert found in (/jffs/ssl/cert.pem) to your OS.
# The purpose of this file is to learn the process the router uses, and allow more customization
# over the cert options. Plus, many embedded processors used in routers do not have good enough entropy
# to generate secure keypairs.
#
# Your Merlin powered router's cert generator script lies here:
#    /usr/sbin/gencert.sh
# The script copies then modifies a config file you'll find here:
#    /etc/openssl.cnf

#
# The below openssl config file is a typical example of what the script will use.
# It should be modified to match your configuration (the important lines to modify
# are near the bottom). Use this config, with the following 3 commands, to make
# certs and keys with openssl in Linux:
#
#    openssl genrsa -out key.pem 4096 -config merlinWebUIcerts
#    openssl req -new -x509 -key key.pem -sha256 -out cert.pem -days 3650 -config merlinWebUIcerts
#    cat key.pem cert.pem > server.pem
#
# Verify the cert infos before putting it to use:
#    openssl x509 -in /etc/cert.pem -text -noout
#
# Place the files in the /jffs/ssl/ directory and restart httpd (or reboot router).
# Copy cert.pem and rename to myRouterCert.crt. Distribute this cert to client(s) and
# add to their trusted root certs (see OS or browser docs on how to do this).
#
# For more info:
# https://www.snbforums.com/threads/user-provided-ssl-certificate-for-webui.40249/
#
#############################################################################
#Start Config File#
HOME = .
RANDFILE = $ENV::HOME/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = CA_default
[ CA_default ]
acopy_extensions = copy    #script adds this
dir = /usr/share
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/cacert.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
default_days = 7305
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
[ v3_req ]
subjectAltName = @alt_names    #script adds this
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectAltName = @alt_names    #script adds this
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always
[ engine ]
default = openssl
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = nombstr
req_extensions = v3_req
[ req_attributes ]
challengePassword = .
challengePassword_value =
unstructuredName = .
unstructuredName_value =
[ req_distinguished_name ]
countryName = .
countryName_value = US
stateOrProvinceName = .
stateOrProvinceName_value = .
localityName = .
localityName_value = .
organizationName = .
organizationName_value = .
organizationalUnitName = .
organizationalUnitName_value = .

#########################################################################
#Important things to modify below... mainly the .13.1 to your router IP, and RTN66R to your router name
0.commonName=CN
0.commonName_value=192.168.13.1        #your router's lan IP
0.organizationName=O
0.organizationName_value='ASUSWRT-Merlin'

#Add more like so if you use "Lan CN's"
#1.commonName=CN
#1.commonName_value=myLanCN1        #A lan CN
#1.organizationName=O
#1.organizationName_value='ASUSWRT-Merlin'

[alt_names]
IP.0 = 192.168.13.1                    #your router's lan IP
DNS.0 = 192.168.13.1                #your router's lan IP (for dumb browsers)
DNS.1 = router.asus.com                #yeeeeeeup!
DNS.2 = RTN66R                        #my old router, yours is probably different
DNS.3 = RTN66R.home                    #I use "home" as my LAN domain
DNS.4 = yourUserName.asuscomm.com        #Not sure this is needed, but I use DDNS for Openvpn, and this was in my cert.

#DNS.5 = addYourLanCNsIfYouUseThose

To use, create a file named "merlinWebUIcerts", paste in the code, edit the bottom section to match your router, and save. From the same directory, enter the first 2 commands in the top comments (3rd cat line is for webdav, which I don't use).

I think all that is really needed is the IP.0, DNS.0, and DNS.1 lines... lines below that can probably be commented out for the webui accessed from lan.

On a related note, I also used this method to make a keypair for my favorite router script, ab-solution.sh (pixelserv-tls).

Cheers,
Kev