Self-signed certificate configuration

Hi all.
I'd like to add a certificate to my Firefox browser to avoid messages about incorrect certificate every time I'm opening web-interface.
Recently I've fount that article
so what I did:

  • I created new key/cert pair
    openssl req -x509 -nodes -days 5397 -newkey rsa:2048 -keyout mycert1.key -out mycert1.crt -config myconfig.conf openssl pkcs12 -export -out mycert1.pfx -inkey mycert1.key -in mycert1.crt
  • installed .pfx on my system.
    certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,c" -n LuCI -i mycert1.crt
  • copied and configured new pair to my router
  • added mycert1.pfx to Firefox browser
    But nothing has changed, Firefox is asking about that cert every time.

Where was my mistake?

Thanks in advance.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
cat /etc/config/uhttpd
1 Like

Here they are:

ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "mthost34",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "MikroTik hAP ac2",
        "board_name": "mikrotik,hap-ac2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ipq40xx/mikrotik",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}




cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '444444444444444444444'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option macaddr 'AA:AA:AA:AA:AA:AA'
        option stp '1'

config device
        option name 'lan1'
        option macaddr 'AA:AA:AA:AA:AA:AA'

config device
        option name 'lan2'
        option macaddr 'AA:AA:AA:AA:AA:AA'

config device
        option name 'lan3'
        option macaddr 'AA:AA:AA:AA:AA:AA'

config device
        option name 'lan4'
        option macaddr 'AA:AA:AA:AA:AA:AA'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.34.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.34.1'

config device
        option name 'wan'
        option macaddr 'BB:BB:BB:BB:BB:BB'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option name 'phy0-ap0'
        option macaddr 'CC:CC:CC:CC:CC:CC'

config device
        option name 'phy1-ap0'
        option macaddr 'DD:DD:DD:DD:DD:DD'
        
        
        
        
        
cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '4'
        option band '2g'
        option htmode 'HT40'
        option txpower '16'
        option cell_density '0'
        option noscan '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '11'
        option encryption 'sae-mixed'
        option key '1111111111111111'
        option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '40'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option txpower '12'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '22222'
        option encryption 'sae-mixed'
        option key '22222222222222222'
        
        
        
        
cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        list server '127.0.0.1#5054'
        list server '127.0.0.1#5055'
        list interface 'lan'
        list notinterface 'wan'
        list notinterface 'wan6'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_backup_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5054'
        list doh_server '127.0.0.1#5055'

config dhcp 'lan'
        option interface 'lan'
        option start '50'
        option limit '150'
        option leasetime '20m'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option force '1'
        list dhcp_option '4,192.168.34.1'
        list dhcp_option '42,192.168.34.1'
        list dhcp_option '5,192.168.34.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

        

        
        

        
        
        
        
        
cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'
        
config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Block outgoing DNS grom WAN to 53'
        option direction 'out'
        option device 'wan'
        option dest '*'
        option dest_port '53'
        option target 'DROP'

config rule
        option name 'Block forward DNS from LAN to WAN to port 53'
        option src 'lan'
        option dest 'wan'
        option dest_port '53'
        option target 'DROP'

config redirect 'dns_int'
        option name 'Redirect-DNS-requests-to-router'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option family 'any'
        option target 'DNAT'

config redirect
        option target 'DNAT'
        option name 'Redirect-NTP-requests-to-router'
        option family 'any'
        option src 'lan'
        option src_dport '123'
        list proto 'tcp'
        list proto 'udp'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

        
        
        
        
        
        
        
        
        
        
cat /etc/config/uhttpd

config uhttpd 'main'
        list listen_http '192.168.34.1:34567'
        list listen_https '192.168.34.1:45678'
        option redirect_https '1'
        option home '/www'
        option rfc1918_filter '1'
        option max_requests '3'
        option max_connections '100'
#       option cert '/etc/uhttpd.crt'
#       option key '/etc/uhttpd.key'
        option cert '/etc/mycert1.crt'
        option key '/etc/mycert1.key'
        option cgi_prefix '/cgi-bin'
        list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
        option script_timeout '60'
        option network_timeout '30'
        option http_keepalive '20'
        option tcp_keepalive '1'
        option ubus_prefix '/ubus'

config cert 'defaults'
        option days '730'
        option key_type 'ec'
        option bits '2048'
        option ec_curve 'P-256'
        option country 'ZZ'
        option state 'Somewhere'
        option location 'Unknown'
        option commonname 'OpenWrt'


If not obvious remove uhttpd.key/.crt and it will be regenerated with valid paramet€rs. I leave to your excersise to read cabforum issuer requirements and find why your certificate is rejected even saved.

I've never had to do anything in Firefox other than click "Accept the risk and continue" once. The browser should associate that self-signed certificate with the IP address. This is actually safer than installing a trusted root certificate on your endpoint. If you do that anyone who has the private key to that certificate can create and sign certificates to impersonate any website to you.

3 Likes

The same as during ssl turning on in OpenWRT web interface. Cert will be generated according last part of /etc/config/uhttpd file.
uhttpd.key/.crt were generated automatically.

If this process (cert generating and configuring) was quite clear for me, I would never come here.
What about that link? Does that info correct?

Cabforum requires much shoryer expiry than you specified, apple clients reject certs that are too valid.