Differences

This shows you the differences between two versions of the page.

--- custom_ssl_cert_local_cert_authority [2025/11/25 22:42] – [Upload the Custom Certificates / Key to the Router and Write them to NVRAM] -Add "%" signs to stop quotes from becoming curly hogwild
+++ custom_ssl_cert_local_cert_authority [2025/11/26 00:15] (current) – [Set up a Custom SSL Cert - Notes and Troubleshooting] hogwild
@@ Line 452: / Line 452: @@
 ===== Set up a Custom SSL Cert - Notes and Troubleshooting =====
- \\
-Download the two configuration files needed to create the Custom Certificate Authority here: \\
+ \\ Download the two configuration files needed to create the Custom Certificate Authority here: \\   \\   \\
- \\
- \\
   - {{ca.openssl.cnf.zip}}
   - {{intermediateca.openssl.cnf.zip}}
- \\
- \\
+ \\   \\ The OpenSSL ccparam subcommand doesn't directly support adding a password to a key. However, it can be piped back through OpenSSL to give it an extra layer of protection. For example, typing the following will generate an elliptical curve key using the prive256v1 algorithm, and then pipe it directly to the second command. The second command, "openssl ec -aes256 -out yourkey.pem" takes the output from the first one, (an elliptical curve key), encrypts it, prompts you for a password to protect it and then outputs the final result to file: "yourkey.pem".\\   \\ ''openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out yourkey.pem''
-The OpenSSL ccparam subcommand doesn't directly support adding a password to a key. However, it can be piped back through OpenSSL to give it an extra layer of protection. For example, typing: \\
  \\
-''openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out yourkey.pem'' \\
- \\
+ \\ Since r2025.3, FreshTomato doesn't require the CN to match the Hostname. The following steps will allow you test your setup to verify this. However, please note that testing this could cause FreshTomato to overwrite your custom cert. If it does happens, upload your certificate again and SSH will still function fine. \\   \\
- \\
- \\
-Since r2025.3, FreshTomato doesn't require the CN to match the Hostname. The following steps will allow you test your setup to verify this. However, please note that testing this could cause FreshTomato to overwrite your custom cert. If it does happens, upload your certificate again and SSH will still function fine. \\
- \\
   * In the web interface, go to the [[admin_access|Admin Access]] menu and check the CN under "SSL Certificate". \\ \\
   * Connect via SSH to FreshTomato and run the following commands:
@@ Line 476: / Line 472: @@
   * When the router is accessible again you'll notice that the certificate is still working fine. \\ Go back to the [[admin_access|Admin Access]] page and you will see the CN is now "some.random.thing" \\ \\
   * If you clicked "Save" at the bottom of the page, or reboot the router from the web interface, your cert would be overwritten. \\ \\
   * At this point you can go back to SSH and change back your CN and commit or, of test it further. \\
- \\
- \\
+ \\   \\   \\
- \\

FreshTomato Wiki

User Tools

Site Tools

Differences

Page Tools