Common Name (CN)
OpenWrt
Organization (O)
OpenWrt4595bdc5
Organizational Unit (OU)
<Not Part Of Certificate>
### Issued By
Common Name (CN)
OpenWrt
Organization (O)
OpenWrt4595bdc5
Organizational Unit (OU)
<Not Part Of Certificate>
### Validity Period
Issued On
Monday, March 28, 2022 at 12:43:54 PM
Expires On
Thursday, March 28, 2024 at 11:43:54 AM
### Fingerprints
SHA-256 Fingerprint
5A F3 3B 26 58 B4 C2 65 DB E6 E6 7D 34 FE DC 88 E8 80 82 E9 A9 A7 92 D1 CD 33 D4 9F F5 B2 B9 40
SHA-1 Fingerprint
9F 4D 0A 8F 44 02 1C E7 24 7C 11 FE DE D0 AE 2C CE D5 2E EC
How do i validate the certificate so I will have a proper HTTPS connection?
Firmware version:
Firmware Version OpenWrt 21.02.2 r16495-bf0c965af0 / LuCI openwrt-21.02 branch git-22.052.50801-31a27f3
Kernel Version 5.4.179
...and save (just name it, don't give it an extension as it'll be automatically added for you) the certificate somewhere easy to find. You can name it anything. Now close that window and the window that opened when you pressed F12.
In place of the last 2 steps above, you can pull /etc/ssl/mycert.crt off your router using other means such as SCP if you're a pro.
Proceed below depending on your operating system
It then explains how to load the cert into your browser to suppress the warning.
@icegood, the simplest way to create self signed key/cert pairs would be:
enter to your router CLI from your computer (Windows or Linux) just type this in a Windows Powershell or Linux bash:
ssh root@192.168.1.1
Then type this:
cd /etc
# Create CA key and certificate. Import ca.crt as root certificate to the computers accessing the router and save ca.key for future use.
[ -e "./ca.key" ] || openssl genrsa -out ca.key 2048
[ -e "./ca.crt" ] || openssl req -new -x509 -days 7300 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
# Create server key and certificate. use server.key and server.crt as valid files for uhttpd, ttyd, etc.
[ -e "./server.key" ] || openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=localhost" -out server.csr
echo "subjectAltName=IP:192.168.1.1,DNS:Openwrt.lan,DNS:myserver.myddns.org,DNS:www.myserver.myddns.org" > /tmp/subjectAltName.txt
openssl x509 -sha256 -req -extfile /tmp/subjectAltName.txt -days 825 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
Obviously, change the DNS entries with your own internal/external, and IPs you use to access the router.
Do not forget to transfer the ca.crt file out of your router and add it as root certificate to your computer, phone, or any other device you use to browse LuCI web interface.
From your computer (Windows or Linux) just type this in a Windows Powershell or Linux bash:
scp root@192.168.1.1:/etc/ca.crt .
In Windows you just have to double click the ca.crt file and add it to the trusted root certificates storage.
/etc/server.key and /etc/server.crt can be used for any service such as uhttpd, ttyd, nginx, etc.
I think your problem is that the subjectAltName is missing in your certificate. So, you can only access your router using the CN, and that CN doesn't look like a valid DNS in your lan.
For windows, the guide is correct.
However, for linux, is a totally different matter.
To get chrome work, is sort of easier, for firefox is a bit more complicated.
For those interested, i can share my own guide, which works.
1)Chrome
sudo apt update
sudo apt install libnss3-tools
Syntax
certutil -d sql:$HOME/.pki/nssdb -A -t "TC,," -n "<CERT_NICKNAME>" -i <FILE_CRT>
From the Folder where the .crt is, open Terminal
OpenWrt
certutil -d sql:$HOME/.pki/nssdb -A -t "TC,," -n "OpenWrt" -i mycert.crt
2)Firefox
Syntax
certutil -A -n "<CERT_NICKNAME>" -t "TC,," -i <PATH_FILE_CRT> -d sql:<PATH_PROFILE_FIREFOX>
CERT_NICKNAME: Certificate Alias to set on the certificate list
PATH_FILE_CRT: Path to the .crt file to import
PATH_PROFILO_FIREFOX: Path to the firefox profile used, to be found in /home/user/.mozilla/firefox/Profile_name
example:
Well, the certificate creation isnt so much different.
Maybe i could use your way to nstall the certificate anyway?
The way i do, i end up whit the ca.crt anyway, so doing your commands i should get the same results, i suppose?
Or your installation guide is different?
Installing a new system root certificate is not recommended. If anyone has the key to that certificate, they can use it to sign phony certificates to MITM any web site on any application on your PC.
It is much safer to set an internal browser exception for one private IP address, that of your router.
Realize that SSL does nothing to deter hacking of the server. It protects the user from having private data intercepted or connecting to a rogue server. Generally these aren't likely on a home LAN.
No need for that if you delete the ca.key file after the server.key and server.crt are created. Still easier and as safe as creating exceptions. And you are covered everywhere. For instance in Linux you can test the validity of the cert of a website by doing:
The only problem of Let's Encrypt is that your server must be public, so your FQDN. So, you lose the flexibility of using the external and internal names and IPs in the certificate. In other words, you won't be able to secure access your router using the lan IP, or local lan name.