2

Using the following links I believe I was able to create and install a certificate and authority for my router so that when I connect to it via HTTPS it won't give me the warning screen about the site not being trusted, and so that I know that I can trust it:

  1. https://github.com/RMerl/asuswrt-merlin/wiki/Generating-OpenVPN-keys-using-Easy-RSA
  2. https://gist.github.com/davidbalbert/6815258
  3. https://www.techrepublic.com/blog/apple-in-the-enterprise/managing-ssl-certificate-authorities-on-os-x/

And in fact I no longer get the warning message, but the https:// in the address bar is crossed out with two red lines and I do get the following error message:

net::ERR_CERT_COMMON_NAME_INVALID

So, my questions are:

  1. Is it indeed not secure; did I miss something?
  2. Or is this just Google Chrome being finicky and nothing I do will remove this?
  3. Or is there some way to remove it permanently?
Improve this question
4
  • Exactly what https://name_or_address do you request in your browser(s) and exactly what CN (CommonName) value did you specify in the entity=router cert? HTTPS requires they match to ensure you are securely connecting to the correct server and not an imposter. if they are different and one is wrong, change the wrong one to be correct.
    – dave_thompson_085
    Commented Dec 25, 2016 at 2:37
  • Ahh, thank you for that, though unfortunately it didn't completely solve the problem. Now that I've changed my CN to 192.168.1.1 the "net::ERR..." message no longer appears but the https is still crossed out in the browser bar and when I inspect the security settings it says "This page is insecure (broken HTTPS)."
    – Jesse Yishai
    Commented Dec 25, 2016 at 4:47
  • Looks like SHA-1 might be the problem: inmotionhosting.com/support/website/ssl/sha-1 I'll report back once I try this.
    – Jesse Yishai
    Commented Dec 25, 2016 at 4:50
  • I cover how to do this using openssl directly within this answer
    – JW0914
    Commented Jul 22, 2023 at 12:09

1 Answer 1

Reset to default
0

After much investigating I found the solution in a number of steps:

  • Generate keys as in RMerl's Generating OpenVPN keys using Easy RSA - However, you first need to change SHA1 to SHA256 in pkitool in 2 or 3 places as in HTTPS, easy-rsa, sha256, nginx - In 'vars' make sure to uncomment and assign export KEY_CN=hostname (such as 192.168.1.1), this being the hostname you use to connect to your router (this makes me think accessing the router from both outside and in could be a problem; maybe DDNS would solve this problem?) - When completing step ./build-key-server server1, make sure server1 is the same hostname as above - I changed export KEY_SIZE=2048 instead of 1024, don't know if Chrome will accept 1024 or not - Other steps are as in this document (I finished the client step because that is where signing happens but I don't know if it is necessary; I don't use the file)

  • Follow steps in davidbalbert's How to install custom SSL certificates on an ASUS RT-N66U running asuswrt-merlin

    • In this case I directly copied 192.168.1.1.key to key.pem and 192.168.1.1.cert to cert.pem.
    • Make sure to read comments about replacing an existing certificate, if applicable.

  • Copy the new certificate file, ca.crt, to your Mac, as in Managing SSL Certificate Authorities on OS X

    • You may need to reboot your Mac.

This did the trick and the red lines and warning messages are all gone! Now I can safely login to my router completely worry free from snooping; right?

For reference the firmware I have currently installed is version 3.0.0.4.380_4180

Improve this answer
1
  • There's a much better and more efficient way to do this than via OpenVPN, and I cover how to do this using openssl directly within this answer
    – JW0914
    Commented Jul 22, 2023 at 12:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .