Create and install a Root CA and self-signed SSL certificate

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

mobidutch

New Around Here
If you use official Asus firmware on your router and you want a secure connection to your router from ANY random computer, you have no other option than to install a certificate that was issued by an official/public certificate authority like Let's Encrypt. The downside of free certificates provided by such authorities is that they typically expire after 3 months. As an alternative, you can use this procedure to create your own root CA and a self-signed certificate that validates against that root CA.

Disclaimer: I did not come up with this procedure. I am just restating (sometimes literally) and organizing information that I found elsewhere, specifically:
- This very useful post about creating a self-signed certificate
- This thread on GitHub
- This thread that helped me resolve new certificate errors introduced with Chrome 58 and Opera 44.


Step 1: Download and install free OpenSSL utility
You can find it here. Install either the 64-bit or 32-bit version depending on your OS version. Install both the 1.02 Light version as well as the 1.1.0e Light version.


Step 2. Create a private root CA key
The first step is to generate a private root key. The example below creates a 2048 bit key

openssl genrsa -out MyRootCA.key 2048

The standard key sizes today are 1024, 2048, and to a much lesser extent, 4096. Go with 2048, which is what most people use nowadays (people are transitioning away from 1024, while 4096 is usually overkill with a key length that is 5 times more computationally intensive than 2048). You can optionally password-protect the key by adding -des3 (recommended):

openssl genrsa -des3 -out MyRootCA.key 2048


If you go this route, you will be prompted to provide a password and you will be challenged for this password whenever you use the key.


Step 3. Self-sign the private root certificate
Execute this command:

openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem

You can pick your own name for “MyRootCA” and specify any number of days (e.g. 3652 for 10 years). This will start an interactive script, which will ask you for various bits of information. Fill it out as you see fit, but make sure the Common Name is NOT equal to the public domain name of your router:


You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:YourState
Locality Name (eg, city) []:YourCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YourName
Organizational Unit Name (eg, section) []:Root CA
Common Name (eg, YOUR name) []:YourName Root CA
Email Address []:[email protected]


Once done, this will create a signed SSL root certificate called MyRootCA.pem, valid for the specified number of days.



Step 4. Install root certificate into one or more workstations
For laptops/desktops/workstations, you will need to install the root certificate into your trusted certificate repository. Some browsers – such as Chrome, Opera and IE - use the default operating system repository. Issue the following commands to install the root certificate:


certutil –addstore -enterprise –f "Root" <pathtocertificatefile>

This will add the certificate to the Trusted Root Certification Authorities store. The -f in the command simply forces an overwrite in case the certificate already exists in the store. If you want to add an Intermediate Certification Authority, replace "Root" with "CA". To add to your Personal store, change it to "My".

The above command adds the certificate to the Local Computer store. To add to the User store remove the -enterprise from the command line:


certutil –addstore –f "Root" <pathtocertificatefile>

For installing the certificate in FireFox on Windows, go to Options>Advanced>Certificates>View Certificates, select the “Authorities” tab and Import the MyRootCA.pem file.


Step 5. Create a certificate for your router
This example assumes that your router’s hostname is myrouter.asuscomm.com.

a) Generate a private key
Execute the following command:

openssl genrsa -out myrouter.asuscomm.com.key 2048

Once the key is created, you will generate a “certificate signing request”.

openssl req -new -key myrouter.asuscomm.com.key -out myrouter.asuscomm.com.csr

You will be asked various questions (Country, State/Province, etc.). Answer them how you see fit, but make sure to specify your router’s public domain name as Common Name:

Common Name (eg, YOUR name) []: myrouter.asuscomm.com
Whatever you see in the address field in your browser when you go to your device must be what you put under common name, even if it is an IPv4 or IPv6 address. If it does not match, even a properly signed certificate will not validate correctly and you will get the “cannot verify authenticity” error.

You will also be asked for a challenge password (leave empty) and a ”Optional company name”. Again, specify your router’s public domain name as optional company name (important!):

myrouter.asuscomm.com

b) Create v3.ext file
Now create a file called myrouter.asuscomm.com.v3.ext, in order to generate an X509 v3 certificate instead of the default v1 when not specifying an extension file. The file should have the following content:


authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = myrouter.asuscomm.com


c) Sign CSR
The next step is to sign the CSR, which requires the CA root key

openssl x509 -req -in myrouter.asuscomm.com.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out myrouter.asuscomm.com.crt -days 500 -sha256 –extfile myrouter.asuscomm.com.v3.ext

This creates a signed certificate called myrouter.asuscomm.com.crt, which is valid for 500 days (you can adjust the number of days of course, although it does not make sense to have a certificate that lasts longer than the root certificate).


Step 6. Install certificate on router
Log into your router via telnet or SSH, then execute these commands:

#cleanup of existing pem files
cd /etc
rm *.pem


#cleanup of existing certificate (twice)
nvram set https_crt_save=0
nvram unset https_crt_file
service restart_httpd
nvram unset https_crt_file
service restart_httpd
nvram get https_crt_file
(this should return nothing)
rm *.pem

#install new certificate
nvram set https_crt_save=1

#copy/paste your .crt and .key content into pem files
#save via 2x CTRL-D
cat > cert.pem
cat > key.pem


#restart and generate cert file
service restart_httpd
nvram get https_crt_file
(this should return your new cert file)

#done
reboot


That's it, you're done.
 
Last edited:

HeMaN

Regular Contributor
Great tutorial! On Windows I use a programming called XCA to manage keys and certificates. Saves me a lot of trouble using command line to generate the keys and certificates and provide a gui for things like alternative names

Verstuurd vanaf mijn A0001 met Tapatalk
 

tboland

Occasional Visitor
Still a great tutorial, but needs slight updating due to firmware changes and the ravages of time. All good up until :

#copy/paste your .crt and .key content into pem files
#save via 2x CTRL-D (Changes in bold)
service stop_httpd (creating the files with httpd active was creating problems and they were being overwritten by httpd. Turn it off.)

cat > cert.pem
cat > key.pem

cat *.pem (displays the two files - needed for comparison and makes sure that the files saved as expected)
service start_httpd
cat *.pem (displays the two files - should be the same as previous. If not, httpd created its own set and you have to start over.)
nvram get https_crt_file (this should return your new cert file)
reboot (not really needed any more)
 
Last edited:
  • Like
Reactions: chx

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top