FreshTomato Wiki

User Tools

Site Tools

Trace: custom_ssl_cert_local_cert_authority
custom_ssl_cert_local_cert_authority

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
custom_ssl_cert_local_cert_authority [2025/11/12 23:28] – [Set up a Custom SSL Cert - Notes and Troubleshooting] -Formatting hogwildcustom_ssl_cert_local_cert_authority [2025/11/26 00:15] (current) – [Set up a Custom SSL Cert - Notes and Troubleshooting] hogwild
Line 1: Line 1:
 ====== Set up a Custom SSL Cert using Local CA & Cert-Signing Request ====== ====== Set up a Custom SSL Cert using Local CA & Cert-Signing Request ======
-This HOWTO takes you through all the steps needed to create: \\  + 
- \\+This HOWTO takes you through all the steps needed to create: \\   \\ 
   - A root certificate authority (CA)   - A root certificate authority (CA)
   - An intermediate certificate authority (ICA)   - An intermediate certificate authority (ICA)
   - An SSL key, certificate request (CS)   - An SSL key, certificate request (CS)
   - A signed certificate.   - A signed certificate.
- \\  + 
-It then shows you how to distribute these, and install them in FreshTomato NVRAM. The setup was done on an r2025.3 build, but should work fine on releases r2023 and later.​+ \\  It then shows you how to distribute these, and install them in FreshTomato NVRAM. The setup was done on an r2025.3 build, but should work fine on r2023 and later.​
  
 The **steps involved in creating the Local Certificate Authority, Certificates and Signing Request can be run only on Linux**. If your main computing device isn't running Linux, it is recommended that you create a Live, bootable Linux USB flash drive on which to perform these tasks. This media should be configured with persistent storage. The FreshTomato team may attempt to find ways to allow all these tasks to be done directly in FreshTomato. The **steps involved in creating the Local Certificate Authority, Certificates and Signing Request can be run only on Linux**. If your main computing device isn't running Linux, it is recommended that you create a Live, bootable Linux USB flash drive on which to perform these tasks. This media should be configured with persistent storage. The FreshTomato team may attempt to find ways to allow all these tasks to be done directly in FreshTomato.
Line 18: Line 19:
 ===== Prerequisites ===== ===== Prerequisites =====
  \\   \\ 
-  - A FreshTomato router with approximately 2.5 kB of free NVRAM. \\ (Check "Used / Total NVRAM" in the Overview menu) +  - A FreshTomato router with approximately 2.5 kB of free NVRAM. \\ (Check "Used / Total NVRAM" in the Overview menu) \\ \\ 
   - Any Linux distro with which you are comfortable. \\ The Certificate Authority will be built in the "/root/ca" directory.   - Any Linux distro with which you are comfortable. \\ The Certificate Authority will be built in the "/root/ca" directory.
  \\   \\ 
Line 433: Line 433:
  \\   \\ 
 ==== Set up Root with Elliptical Curve SSH Keys ==== ==== Set up Root with Elliptical Curve SSH Keys ====
- \\  + 
-(This is done with root credentials because the certificates must be installed in FreshTomato. Using root access helps avoid unsecured steps in between). \\  +\\  (This is done with root credentials because the certificates must be installed in FreshTomato. Using root access helps avoid unsecured steps in between). \\  \\  Change to the: "/root" directory: \\  \\  \\  ''cd /root'' \\  \\  \\  \\  \\  Generate a public/private SSH key pair using the Ed25519 hashing algorithm. Add a comment containing a default email address to the key: \\  \\  \\  ''ssh-keygen -t ed25519 -C "your_email@example.com"''\\  \\  \\  \\  \\  Display the contents of the public SSH key file: "/root/.ssh/id_ed25519.pub": \\  \\  \\  ''cat /root/.ssh/id_ed25519.pub'' \\  (The contents should look similar to: "ssh-ed25519 AAA....Oo your_email@example.com". Copy all of it for use in the next step.\\  \\  \\  \\  \\  Now, connect to the router's web interface and go to the Admin Access menu. In the SSH Server section, paste the output copied from the previous step in the "Authorized keys" section). \\  \\  \\  Uncheck: \\
- \\  +
-Change to the: "/root" directory: \\  +
- \\  +
- \\  +
-''cd /root'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Generate a public and private SSH key pair using the Ed25519 hashing algorithm. Add a comment containing a default email address to the key: \\  +
- \\  +
- \\  +
-''ssh-keygen -t ed25519 -C "your_email@example.com"'' FIXME \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Display the contents of the public SSH key file: "/root/.ssh/id_ed25519.pub": \\  +
- \\  +
- \\  +
-''cat /root/.ssh/id_ed25519.pub'' \\  +
-(The contents should look similar to: "ssh-ed25519 AAA....Oo your_email@example.com" copy the whole thing) FIXME \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Now, connect to the router's web interface and go to the Admin Access menu. In the SSH Server section, paste the output copied from the previous step in the "Authorized keys" section). \\  +
- \\  +
- \\  +
-Uncheck: \\ +
  
   * "Allow password login"   * "Allow password login"
   *  "WAN access"   *  "WAN access"
  
- \\  Now, check: \\ +\\  Now, check: \\
  
-  * "Enable on Startup", then "Save." \\  +  * "Enable on Startup", then "Save." \\ 
- \\  + 
- \\  +\\  \\  \\  \\  Finally, click "Start Now" to restart the SSH server. \\  \\  \\  \\
- \\  +
- \\   +
-Finally, click "Start Now" to restart the SSH server. \\  +
- \\  +
- \\  +
- \\ +
  
  
 ==== Upload the Custom Certificates / Key to the Router and Write them to NVRAM ==== ==== Upload the Custom Certificates / Key to the Router and Write them to NVRAM ====
- \\  + 
-Using the secure copy command (and legacy protocol), copy the: "FT.key.pem" file and the: ""FT.cert.pem" file from the Intermediate CA to the root user FreshTomato home directory (whose default name is assumed to be: "FT") \\  + \\  Using the secure copy command (and legacy protocol), copy the: "FT.key.pem" file and the: ""FT.cert.pem" file from the Intermediate CA to the root user FreshTomato home directory (whose default name is assumed to be: "FT") \\   \\   \\  ''scp -O /root/ca/intermediate/client_keys/FT.key.pem /root/ca/intermediate/newcerts/FT.cert.pem root@FT'' \\   \\   \\   \\   \\  Run the SSH command to connect via SSH to the root account on the host router named: "FT": \\   \\   \\  ''ssh root@FT'' \\   \\   \\   \\   \\  Rename the file: "FT.key.pem" file to: "key.pem": \\   \\   \\  ''mv FT.key.pem key.pem'' \\   \\   \\   \\   \\  Rename the file: "FT.key.pem" to cert.pem: \\   \\   \\  ''mv FT.cert.pem cert.pem'' \\   \\   \\   \\   \\  Concatenate the contents of the "key.pem" and "cert.pem" files and write the combined content into new file: "/etc/server.pem": \\   \\   \\  ''cat key.pem cert.pem > /etc/server.pem'' \\   \\   \\   \\   \\  Copy the "./cert.pem" file to the "/etc" directory: \\   \\   \\  ''cp ./cert.pem /etc/cert.pem'' \\   \\   \\   \\   \\  Copy the "./key.pem" file to the "/etc" directory: \\   \\   \\  ''cp ./key.pem /etc/key.pem'' \\   \\   \\   \\   \\  Run the stream text editor, make it open the "cert.pem" file in place, overwriting any changes and cutting off content after the words: "END CERTIFICATE": \\   \\   \\  ''sed -i %%"%%/END CERTIFICATE/q%%"%% /etc/cert.pem'' \\   \\   \\   \\   \\  Run the tar command and compress the "cert.pem" and "key.pem files into the "/tmp/cert.tar" file, preserving all /path/ information) \\   \\   \\  ''/bin/tar -C / -cf /tmp/cert.tar etc/cert.pem etc/key.pem '' \\   \\   \\   \\   \\  Run the gzip archive tool to further compress the "cert.tar" file (making it into a "tar.gzip" file): \\   \\   \\  ''/bin/gzip -f /tmp/cert.tar'' \\   \\   \\   \\   \\   \\  Encode the "/tmp/cert.tar.gz" tarball archive of SSL certificate files, encode it in base64 using OpenSSL, remove any newline characters from the encoded string, and then set this base64-encoded string as the value of the "https_crt_file" variable in NVRAM. \\   \\   \\  ''nvram set https_crt_file="$(/usr/sbin/openssl enc -base64 < /tmp/cert.tar.gz | tr -d '\n')"'' \\   \\   \\   \\   \\  Commit all the changes to NVRAM: \\   \\   \\  ''nvram commit'' \\   \\   \\   \\   \\  Finally, restart the HTTP daemon: \\   \\   \\  ''service httpd restart'' \\   \\   \\   \\  The "intermediate.cert.pem" file is now ready to be imported into your browser. The author uses Brave, in which you can import the file via "Trusted certificates", (not "Intermediate certificates"). \\   \\  The process is now complete. Now, you should be able to access your FreshTomato web interface using the custom certificates you created with your own CA. If something isn't working, review all steps and double-check that they were properly completed. \\   \\   \\
- \\  +
- \\  +
-''scp -O /root/ca/intermediate/client_keys/FT.key.pem /root/ca/intermediate/newcerts/FT.cert.pem root@FT'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Run the SSH command to connect via SSH to the root account on the host router named: "FT": \\  +
- \\  +
- \\  +
-''ssh root@FT'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Rename the file: "FT.key.pem" file to: "key.pem": \\  +
- \\  +
- \\  +
-''mv FT.key.pem key.pem'' \\  +
- \\  +
- \\  +
- \\  +
- \\   +
-Rename the file: "FT.key.pem" to cert.pem: \\  +
- \\  +
- \\  +
-''mv FT.cert.pem cert.pem'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Concatenate the contents of the "key.pem" and "cert.pem" files and write the combined content into new file: "/etc/server.pem": \\  +
- \\  +
- \\  +
-''cat key.pem cert.pem > /etc/server.pem'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Copy the "./cert.pem" file to the "/etc" directory: \\  +
- \\  +
- \\ +
-''cp ./cert.pem /etc/cert.pem'' \\  +
- \\  +
- \\  +
- \\  +
- \\   +
-Copy the "./key.pem" file to the "/etc" directory: \\  +
- \\  +
- \\  +
-''cp ./key.pem /etc/key.pem'' \\  +
- \\  +
- \\  +
- \\  +
- \\   +
-Run the stream text editor, make it open the "cert.pem" file in place, overwriting any changes and cutting off content after the words: "END CERTIFICATE": \\   +
- \\  +
- \\  +
-''sed -i "/END CERTIFICATE/q" /etc/cert.pem'' \\   +
- \\  +
- \\  +
- \\  +
- \\  +
-Run the tar command and compress the "cert.pem" and "key.pem files into the "/tmp/cert.tar" file, preserving all /path/ information) \\  +
- \\  +
- \\  +
-''/bin/tar -C / -cf /tmp/cert.tar etc/cert.pem etc/key.pem '' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Run the gzip archive tool to further compress the "cert.tar" file (making it into a "tar.gzip" file): \\  +
- \\  +
- \\  +
-''/bin/gzip -f /tmp/cert.tar'' \\  +
- \\  +
- \\  +
- \\  +
- \\ +
- \\  +
-Encode the "/tmp/cert.tar.gz" tarball archive of SSL certificate files, encode it in base64 using OpenSSL, remove any newline characters from the encoded string, and then set this base64-encoded string as the value of the "https_crt_file" variable in NVRAM. \\  +
- \\  +
- \\  +
-''nvram set https_crt_file="$(/usr/sbin/openssl enc -base64 < /tmp/cert.tar.gz | tr -d '\n')"'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Commit all the changes to NVRAM: \\  +
- \\  +
- \\  +
-''nvram commit'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Finally, restart the HTTP daemon: \\  +
- \\  +
- \\  +
-''service httpd restart'' \\  +
- \\  +
- \\  +
- \\  +
-The "intermediate.cert.pem" file is now ready to be imported into your browser. The author uses Brave, in which you can import the file via "Trusted certificates", (not "Intermediate certificates"). \\  +
- \\  +
-The process is now complete. Now, you should be able to access your FreshTomato web interface using the custom certificates you created with your own CA. If something isn't working, review all steps and double-check that they were properly completed. \\  +
- \\  +
- \\ +
  
  
 ===== Set up a Custom SSL Cert - Notes and Troubleshooting ===== ===== Set up a Custom SSL Cert - Notes and Troubleshooting =====
- \\  + 
-Download the two configuration files needed to create the Custom Certificate Authority here: \\  + \\ Download the two configuration files needed to create the Custom Certificate Authority here: \\   \\   \\ 
- \\  +
- \\ +
   - {{ca.openssl.cnf.zip}}   - {{ca.openssl.cnf.zip}}
   - {{intermediateca.openssl.cnf.zip}}   - {{intermediateca.openssl.cnf.zip}}
- \\  + 
- \\  + \\   \\ The OpenSSL ccparam subcommand doesn't directly support adding a password to a key. However, it can be piped back through OpenSSL to give it an extra layer of protection. For example, typing the following will generate an elliptical curve key using the prive256v1 algorithm, and then pipe it directly to the second command. The second command, "openssl ec -aes256 -out yourkey.pem" takes the output from the first one, (an elliptical curve key), encrypts it, prompts you for a password to protect it and then outputs the final result to file"yourkey.pem".\\   \\ ''openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out yourkey.pem'' 
-The OpenSSL ccparam subcommand doesn't directly support adding a password to a key. However, it can be piped back through OpenSSL to give it an extra layer of protection. For example, typing: \\  + 
- \\  + \\ 
-''openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out yourkey.pem'' \\  + 
- \\  + \\ Since r2025.3, FreshTomato doesn't require the CN to match the Hostname. The following steps will allow you test your setup to verify this. However, please note that testing this could cause FreshTomato to overwrite your custom cert. If it does happens, upload your certificate again and SSH will still function fine. \\   \\ 
- \\  +
- \\  +
-Since r2025.3, FreshTomato doesn't require the CN to match the Hostname. The following steps will allow you test your setup to verify this. However, please note that testing this could cause FreshTomato to overwrite your custom cert. If it does happens, upload your certificate again and SSH will still function fine. \\  +
- \\ +
   * In the web interface, go to the [[admin_access|Admin Access]] menu and check the CN under "SSL Certificate". \\ \\    * In the web interface, go to the [[admin_access|Admin Access]] menu and check the CN under "SSL Certificate". \\ \\ 
   * Connect via SSH to FreshTomato and run the following commands:   * Connect via SSH to FreshTomato and run the following commands:
Line 621: Line 473:
   * If you clicked "Save" at the bottom of the page, or reboot the router from the web interface, your cert would be overwritten. \\ \\    * If you clicked "Save" at the bottom of the page, or reboot the router from the web interface, your cert would be overwritten. \\ \\ 
   * At this point you can go back to SSH and change back your CN and commit or, of test it further. \\   * At this point you can go back to SSH and change back your CN and commit or, of test it further. \\
 +
 + \\   \\   \\
  
  
custom_ssl_cert_local_cert_authority.1762990123.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki