I've recently set up my own certificate in my GT-AX6000 because I also didn't want to use the default self-signed cert produced by the router.
I chose to create my own root Certificate Authority (CA), which I then used to issue a long-lived leaf certificate for the router to use for its web interface. Then, I've destroyed my CA's private key, so that it's impossible for this CA to issue any more certificates in the future, and finally I've added the CA to the trusted CA root store on my devices (currently an Android phone and a Windows PC) so that when I access the router's web interface, my web browsers will trust the leaf certificate.
In this process, I've discovered that not all certificates would work with the Asus router, notably certs using the elliptic curve Curve25519. On the other hand, NIST P-521 was accepted by the router, but this curve is not supported by Chromium based browsers, so I was only able to access the router's admin panel with Firefox.
In the end, it seems that you can only use the curves NIST-P256 and NIST-P384. I went with the latter for my certs. I didn't try RSA-based certificates, but these should work as well.
I created my certificates using the
Step CLI as follows:
Bash:
$ step certificate create --profile root-ca --kty=EC --crv=P-384 "Dummy Asus Root CA" root_ca.crt root_ca.key
$ step certificate create --profile leaf --kty=EC --crv=P-384 asusrouter.com asusrouter.com.crt asusrouter.com.key --ca ./root_ca.crt --ca-key ./root_ca.key --san=asusrouter.com --san=192.168.50.1 --not-after=8760h --no-password --insecure
$ rm root_ca.key
$ step certificate install root_ca.crt
However, if you want a certificate that's trusted globally, then I unfortunately don't have any experience with that on Asus routers. I know that the router can be configured to get certs automatically from Let's Encrypt (for free) if you use the DDNS feature, but I did not test that functionality.
