2

Using the following links I believe I was able to create and install a certificate and authority for my router so that when I connect to it via HTTPS it won't give me the warning screen about the site not being trusted, and so that I know that I can trust it:

1) https://github.com/RMerl/asuswrt-merlin/wiki/Generating-OpenVPN-keys-using-Easy-RSA

2) https://gist.github.com/davidbalbert/6815258

3) http://www.techrepublic.com/blog/apple-in-the-enterprise/managing-ssl-certificate-authorities-on-os-x/

And in fact I no longer get the warning message, but the https:// in the address bar is crossed out with two red lines and I do get the following error message:

net::ERR_CERT_COMMON_NAME_INVALID

So, my questions are:

1) Is it indeed not secure; did I miss something? 2) Or is this just Google Chrome being finicky and nothing I do will remove this? 3) Or is there some way to remove it permanently?

Jesse Yishai
  • 21
  • 1
  • 4
  • Exactly what `https://name_or_address` do you request in your browser(s) and exactly what CN (CommonName) value did you specify in the entity=router cert? HTTPS requires they match to ensure you are securely connecting to the correct server and not an imposter. if they are different and one is wrong, change the wrong one to be correct. – dave_thompson_085 Dec 25 '16 at 02:37
  • Ahh, thank you for that, though unfortunately it didn't completely solve the problem. Now that I've changed my CN to 192.168.1.1 the "net::ERR..." message no longer appears but the https is still crossed out in the browser bar and when I inspect the security settings it says "This page is insecure (broken HTTPS)." – Jesse Yishai Dec 25 '16 at 04:47
  • Looks like SHA-1 might be the problem: http://www.inmotionhosting.com/support/website/ssl/sha-1 I'll report back once I try this. – Jesse Yishai Dec 25 '16 at 04:50
  • I cover how to do this using `openssl` directly within [this](https://superuser.com/a/1618151/529800) answer – JW0914 Jul 22 '23 at 12:09

1 Answers1

0

After much investigating I found the solution in a number of steps:

  • Generate keys as in RMerl's Generating OpenVPN keys using Easy RSA

    • However, you first need to change SHA1 to SHA256 in pkitool in 2 or 3 places as in HTTPS, easy-rsa, sha256, nginx
    • In 'vars' make sure to uncomment and assign 'export KEY_CN=hostname' (such as 192.168.1.1), this being the hostname you use to connect to your router (this makes me think accessing the router from both outside & in could be a problem; maybe DDNS would solve this problem?)
    • When completing step './build-key-server server1', make sure server1 is the same hostname as above
    • I changed 'export KEY_SIZE=2048' instead of 1024, don't know if Chrome will accept 1024 or not
    • Other steps are as in this document (I finished the client step because that is where signing happens but I don't know if it is necessary; I don't use the file)

  • Follow steps in davidbalbert's How to install custom SSL certificates on an ASUS RT-N66U running asuswrt-merlin

    • In this case I directly copied 192.168.1.1.key to key.pem and 192.168.1.1.cert to cert.pem
    • Make sure to read comments about replacing an existing certificate, if applicable

  • Copy the new certificate file, ca.crt, to your Mac, as in Managing SSL Certificate Authorities on OS X

    • You may need to reboot your Mac

This did the trick and the red lines and warning messages are all gone! Now I can safely login to my router completely worry free from snooping; right?

For reference the firmware I have currently installed is version 3.0.0.4.380_4180

Jesse Yishai
  • 21
  • 1
  • 4
  • There's a much better and more efficient way to do this than via OpenVPN, and I cover how to do this using `openssl` directly within [this](https://superuser.com/a/1618151/529800) answer – JW0914 Jul 22 '23 at 12:09