Local Access Config (Https) Certificate

[rwheaton1]

Well, I posted in a different thread and didn't get a response...so I figured I would just create my own thread. I do not want to use the Asus server certificate. I want something local but do not know what will work best. Anyone that has changed the certificate I would appreciate if you can give me some insight into what company you are using. I want a US based company if possible. Is no-ip good and work well with Asus? Any others I should consider? Thanks again for your help!!!!

 

[porktomatoes]

I've recently set up my own certificate in my GT-AX6000 because I also didn't want to use the default self-signed cert produced by the router.
I chose to create my own root Certificate Authority (CA), which I then used to issue a long-lived leaf certificate for the router to use for its web interface. Then, I've destroyed my CA's private key, so that it's impossible for this CA to issue any more certificates in the future, and finally I've added the CA to the trusted CA root store on my devices (currently an Android phone and a Windows PC) so that when I access the router's web interface, my web browsers will trust the leaf certificate.

In this process, I've discovered that not all certificates would work with the Asus router, notably certs using the elliptic curve Curve25519. On the other hand, NIST P-521 was accepted by the router, but this curve is not supported by Chromium based browsers, so I was only able to access the router's admin panel with Firefox.
In the end, it seems that you can only use the curves NIST-P256 and NIST-P384. I went with the latter for my certs. I didn't try RSA-based certificates, but these should work as well.

I created my certificates using the Step CLI as follows:

$ step certificate create --profile root-ca --kty=EC --crv=P-384 "Dummy Asus Root CA" root_ca.crt root_ca.key
$ step certificate create --profile leaf --kty=EC --crv=P-384 asusrouter.com asusrouter.com.crt asusrouter.com.key --ca ./root_ca.crt --ca-key ./root_ca.key --san=asusrouter.com --san=192.168.50.1 --not-after=8760h --no-password --insecure
$ rm root_ca.key
$ step certificate install root_ca.crt

However, if you want a certificate that's trusted globally, then I unfortunately don't have any experience with that on Asus routers. I know that the router can be configured to get certs automatically from Let's Encrypt (for free) if you use the DDNS feature, but I did not test that functionality.