[Solved] Uhttpd self-signed SSL/TLS certificate

/etc/config/uhttpd contains the a cert section which contains parameters for certificate creation:

config cert 'defaults'
	option days '730'
	option key_type 'ec'
	option bits '2048'
	option ec_curve 'P-256'
	option country 'ZZ'
	option state 'Somewhere'
	option location 'Unknown'
	option commonname 'OpenWrt'

Accordingly to this documentation, it will be needed only once, at the next restart. So i assume, at every start uhttpd checks if the period of validity is expired, and if so, a new self-signed certificate will be generated, is that correct?

I want to use my own certificate, which i will push automatically via scp (and restart uhttpd afterwards). But what worries me is the fact that OpenWRT creates it's own certificate. Is there a way to disable automatic creation of self-signed certificates?

When providing your own certificate, you can remove the cert section entirely. Make sure the cert and key file paths in the main section point to your certificate. I think that the key file must be readable only by root-- even if uhttpd does not enforce that it is a good practice.

Removing the cert section in /etc/config/uhttpd supresses the creation of a new self-signed certificate?
Are you sure?

I found out that px5g-wolfssl or px5g-standalone is responsible for the creation of the self-signed certificate.

Is it safe to remove this package, or will it break something?

px5g seems to be part of the standard installation. In case of removal: will it be installed again, when an OpenWrt update is installed?

root@sw:~# opkg whatdepends -A px5g-wolfssl
Root set:
What depends on root set
	apfree-wifidog 4.08.1771-6	depends on px5g
	luci-ssl git-20.244.36115-e10f954	depends on px5g-wolfssl

luci-ssl depends on px5g, so it seems like it is not possible to remove px5g without breaking the general SSL/TLS capability.

According to this documentation, px5g is triggered by the init script. How can this be disabled?

luci-ssl is an empty meta package, can be removed without loss of functionality.

Cert generation is triggered if no cert file exists, in all other cases it is skipped, even if preexisting certs are expired or invalid.

Missing cert configuration section inhibits cert generation


hi jow,

thanks for your reply. That is exactly what i needed to know!

I am not able to update the official documentation, so i suggest someone adds a little note with that piece of information.

Have a nice day :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.