FreshTomato Wiki

User Tools

Site Tools

Trace: custom_ssl_cert_local_cert_authority
custom_ssl_cert_local_cert_authority

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
custom_ssl_cert_local_cert_authority [2025/11/18 05:57] – [Set up a Custom SSL Cert using Local CA & Cert-Signing Request] hogwildcustom_ssl_cert_local_cert_authority [2025/11/26 00:15] (current) – [Set up a Custom SSL Cert - Notes and Troubleshooting] hogwild
Line 447: Line 447:
  
 ==== Upload the Custom Certificates / Key to the Router and Write them to NVRAM ==== ==== Upload the Custom Certificates / Key to the Router and Write them to NVRAM ====
- \\  + 
-Using the secure copy command (and legacy protocol), copy the: "FT.key.pem" file and the: ""FT.cert.pem" file from the Intermediate CA to the root user FreshTomato home directory (whose default name is assumed to be: "FT") \\  + \\  Using the secure copy command (and legacy protocol), copy the: "FT.key.pem" file and the: ""FT.cert.pem" file from the Intermediate CA to the root user FreshTomato home directory (whose default name is assumed to be: "FT") \\   \\   \\  ''scp -O /root/ca/intermediate/client_keys/FT.key.pem /root/ca/intermediate/newcerts/FT.cert.pem root@FT'' \\   \\   \\   \\   \\  Run the SSH command to connect via SSH to the root account on the host router named: "FT": \\   \\   \\  ''ssh root@FT'' \\   \\   \\   \\   \\  Rename the file: "FT.key.pem" file to: "key.pem": \\   \\   \\  ''mv FT.key.pem key.pem'' \\   \\   \\   \\   \\  Rename the file: "FT.key.pem" to cert.pem: \\   \\   \\  ''mv FT.cert.pem cert.pem'' \\   \\   \\   \\   \\  Concatenate the contents of the "key.pem" and "cert.pem" files and write the combined content into new file: "/etc/server.pem": \\   \\   \\  ''cat key.pem cert.pem > /etc/server.pem'' \\   \\   \\   \\   \\  Copy the "./cert.pem" file to the "/etc" directory: \\   \\   \\  ''cp ./cert.pem /etc/cert.pem'' \\   \\   \\   \\   \\  Copy the "./key.pem" file to the "/etc" directory: \\   \\   \\  ''cp ./key.pem /etc/key.pem'' \\   \\   \\   \\   \\  Run the stream text editor, make it open the "cert.pem" file in place, overwriting any changes and cutting off content after the words: "END CERTIFICATE": \\   \\   \\  ''sed -i %%"%%/END CERTIFICATE/q%%"%% /etc/cert.pem'' \\   \\   \\   \\   \\  Run the tar command and compress the "cert.pem" and "key.pem files into the "/tmp/cert.tar" file, preserving all /path/ information) \\   \\   \\  ''/bin/tar -C / -cf /tmp/cert.tar etc/cert.pem etc/key.pem '' \\   \\   \\   \\   \\  Run the gzip archive tool to further compress the "cert.tar" file (making it into a "tar.gzip" file): \\   \\   \\  ''/bin/gzip -f /tmp/cert.tar'' \\   \\   \\   \\   \\   \\  Encode the "/tmp/cert.tar.gz" tarball archive of SSL certificate files, encode it in base64 using OpenSSL, remove any newline characters from the encoded string, and then set this base64-encoded string as the value of the "https_crt_file" variable in NVRAM. \\   \\   \\  ''nvram set https_crt_file="$(/usr/sbin/openssl enc -base64 < /tmp/cert.tar.gz | tr -d '\n')"'' \\   \\   \\   \\   \\  Commit all the changes to NVRAM: \\   \\   \\  ''nvram commit'' \\   \\   \\   \\   \\  Finally, restart the HTTP daemon: \\   \\   \\  ''service httpd restart'' \\   \\   \\   \\  The "intermediate.cert.pem" file is now ready to be imported into your browser. The author uses Brave, in which you can import the file via "Trusted certificates", (not "Intermediate certificates"). \\   \\  The process is now complete. Now, you should be able to access your FreshTomato web interface using the custom certificates you created with your own CA. If something isn't working, review all steps and double-check that they were properly completed. \\   \\   \\
- \\  +
- \\  +
-''scp -O /root/ca/intermediate/client_keys/FT.key.pem /root/ca/intermediate/newcerts/FT.cert.pem root@FT'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Run the SSH command to connect via SSH to the root account on the host router named: "FT": \\  +
- \\  +
- \\  +
-''ssh root@FT'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Rename the file: "FT.key.pem" file to: "key.pem": \\  +
- \\  +
- \\  +
-''mv FT.key.pem key.pem'' \\  +
- \\  +
- \\  +
- \\  +
- \\   +
-Rename the file: "FT.key.pem" to cert.pem: \\  +
- \\  +
- \\  +
-''mv FT.cert.pem cert.pem'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Concatenate the contents of the "key.pem" and "cert.pem" files and write the combined content into new file: "/etc/server.pem": \\  +
- \\  +
- \\  +
-''cat key.pem cert.pem > /etc/server.pem'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Copy the "./cert.pem" file to the "/etc" directory: \\  +
- \\  +
- \\ +
-''cp ./cert.pem /etc/cert.pem'' \\  +
- \\  +
- \\  +
- \\  +
- \\   +
-Copy the "./key.pem" file to the "/etc" directory: \\  +
- \\  +
- \\  +
-''cp ./key.pem /etc/key.pem'' \\  +
- \\  +
- \\  +
- \\  +
- \\   +
-Run the stream text editor, make it open the "cert.pem" file in place, overwriting any changes and cutting off content after the words: "END CERTIFICATE": \\   +
- \\  +
- \\  +
-''sed -i "/END CERTIFICATE/q" /etc/cert.pem'' \\   +
- \\  +
- \\  +
- \\  +
- \\  +
-Run the tar command and compress the "cert.pem" and "key.pem files into the "/tmp/cert.tar" file, preserving all /path/ information) \\  +
- \\  +
- \\  +
-''/bin/tar -C / -cf /tmp/cert.tar etc/cert.pem etc/key.pem '' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Run the gzip archive tool to further compress the "cert.tar" file (making it into a "tar.gzip" file): \\  +
- \\  +
- \\  +
-''/bin/gzip -f /tmp/cert.tar'' \\  +
- \\  +
- \\  +
- \\  +
- \\ +
- \\  +
-Encode the "/tmp/cert.tar.gz" tarball archive of SSL certificate files, encode it in base64 using OpenSSL, remove any newline characters from the encoded string, and then set this base64-encoded string as the value of the "https_crt_file" variable in NVRAM. \\  +
- \\  +
- \\  +
-''nvram set https_crt_file="$(/usr/sbin/openssl enc -base64 < /tmp/cert.tar.gz | tr -d '\n')"'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Commit all the changes to NVRAM: \\  +
- \\  +
- \\  +
-''nvram commit'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Finally, restart the HTTP daemon: \\  +
- \\  +
- \\  +
-''service httpd restart'' \\  +
- \\  +
- \\  +
- \\  +
-The "intermediate.cert.pem" file is now ready to be imported into your browser. The author uses Brave, in which you can import the file via "Trusted certificates", (not "Intermediate certificates"). \\  +
- \\  +
-The process is now complete. Now, you should be able to access your FreshTomato web interface using the custom certificates you created with your own CA. If something isn't working, review all steps and double-check that they were properly completed. \\  +
- \\  +
- \\ +
  
  
 ===== Set up a Custom SSL Cert - Notes and Troubleshooting ===== ===== Set up a Custom SSL Cert - Notes and Troubleshooting =====
- \\  + 
-Download the two configuration files needed to create the Custom Certificate Authority here: \\  + \\ Download the two configuration files needed to create the Custom Certificate Authority here: \\   \\   \\ 
- \\  +
- \\ +
   - {{ca.openssl.cnf.zip}}   - {{ca.openssl.cnf.zip}}
   - {{intermediateca.openssl.cnf.zip}}   - {{intermediateca.openssl.cnf.zip}}
- \\  + 
- \\  + \\   \\ The OpenSSL ccparam subcommand doesn't directly support adding a password to a key. However, it can be piped back through OpenSSL to give it an extra layer of protection. For example, typing the following will generate an elliptical curve key using the prive256v1 algorithm, and then pipe it directly to the second command. The second command, "openssl ec -aes256 -out yourkey.pem" takes the output from the first one, (an elliptical curve key), encrypts it, prompts you for a password to protect it and then outputs the final result to file"yourkey.pem".\\   \\ ''openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out yourkey.pem'' 
-The OpenSSL ccparam subcommand doesn't directly support adding a password to a key. However, it can be piped back through OpenSSL to give it an extra layer of protection. For example, typing: \\  + 
- \\  + \\ 
-''openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out yourkey.pem'' \\  + 
- \\  + \\ Since r2025.3, FreshTomato doesn't require the CN to match the Hostname. The following steps will allow you test your setup to verify this. However, please note that testing this could cause FreshTomato to overwrite your custom cert. If it does happens, upload your certificate again and SSH will still function fine. \\   \\ 
- \\  +
- \\  +
-Since r2025.3, FreshTomato doesn't require the CN to match the Hostname. The following steps will allow you test your setup to verify this. However, please note that testing this could cause FreshTomato to overwrite your custom cert. If it does happens, upload your certificate again and SSH will still function fine. \\  +
- \\ +
   * In the web interface, go to the [[admin_access|Admin Access]] menu and check the CN under "SSL Certificate". \\ \\    * In the web interface, go to the [[admin_access|Admin Access]] menu and check the CN under "SSL Certificate". \\ \\ 
   * Connect via SSH to FreshTomato and run the following commands:   * Connect via SSH to FreshTomato and run the following commands:
Line 584: Line 472:
   * When the router is accessible again you'll notice that the certificate is still working fine. \\ Go back to the [[admin_access|Admin Access]] page and you will see the CN is now "some.random.thing" \\ \\    * When the router is accessible again you'll notice that the certificate is still working fine. \\ Go back to the [[admin_access|Admin Access]] page and you will see the CN is now "some.random.thing" \\ \\ 
   * If you clicked "Save" at the bottom of the page, or reboot the router from the web interface, your cert would be overwritten. \\ \\    * If you clicked "Save" at the bottom of the page, or reboot the router from the web interface, your cert would be overwritten. \\ \\ 
-  * At this point you can go back to SSH and change back your CN and commit or, of test it further. \\  +  * At this point you can go back to SSH and change back your CN and commit or, of test it further. \\ 
- \\  + 
- \\  + \\   \\   \\
- \\ +
  
  
custom_ssl_cert_local_cert_authority.1763445470.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki