1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how do i create a https certificate

Discussion in 'Tomato Firmware' started by petm, Sep 27, 2010.

  1. petm

    petm Networkin' Nut Member


    i found it a good idea to have the web admin interface of my WRT54GL 1.1 with tomato 1.28 use https instead of http.
    it works, but everytime the browser warns me about an unsafe site (naturally). what exact steps do i have to perform to make my browsers (in this case chrome) trust the router? i use the access internally and externally (dyndns), if that is important. if some os tools are needed for that, i run windows xp.

  2. srouquette

    srouquette Network Guru Member

  3. occamsrazor

    occamsrazor Network Guru Member

    Doesn't directly answer your question but you could just use Firefox and check the "Permanently accept this exception" box the first time the security pop-up appears. After that you'll never see it again...
  4. GreenThumb

    GreenThumb Addicted to LI Member

    No you don't. You can create your own.

    Creating the certificate is easy, but actually putting it on the router is the hard part. I have asked the board about how to do this before and no one responded. Tomato uses weak 512 bit RSA keys for the built-in certs, so I figured I would create my own and put in on there. I created the cert but, again, can't figure out how to transfer it to the router and make it work.
  5. petm

    petm Networkin' Nut Member

    i like that reply. what exactly IS such a certificate? a small text file or something? how do you create it? and what is the problem with putting it on the router? you can just put it somewhere where you can access it using cifs, maybe copy it to jffs2. and then maybe enter the path for the https certificate option?
    would it work that way, or is the problem deeper than that?
  6. petm

    petm Networkin' Nut Member

    i just saw that option i had in mind is called common name and therefor doesnt seem to be a path.

    SSL Certificate
    Common Name (CN) (optional; space separated)
    Save In NVRAM

    what might those mean? looks like something can be done there.
  7. Jedis

    Jedis LI Guru Member

    Just put in your init script tab:

    echo "XXXXXXXXXXX" > /path/to/storeit

    where XXX is the contents of the certificate file.
  8. petm

    petm Networkin' Nut Member

    is still dont know how i get a suitable certificate file. also where do you suggest to put it for this to work?
    or dont you know anything about the topic and just wanted to explain the ">"?
  9. GreenThumb

    GreenThumb Addicted to LI Member

  10. petm

    petm Networkin' Nut Member

    i know that google is my friend, actually i regularly tell people that same phrase.
    but even following your link it's not obvious for me that that is what i am looking for.
    the problem is not that i dont know how to google but that i dont know how that certificate stuff works. so please bear with me a little longer, i am sure i am not the only one.
    so let's say your link enables me to create a certificate (a file, right?), what would i do with it, where on the router do i have to put it?

  11. nojuan

    nojuan Networkin' Nut Member


    Tomato generates self signed certificates for you.
    On the Admin page you enter a Common Name (CN), click regenerate and save in nvram.

    When you login via https you get an invalid cert message (Firefox) due to a self signed certificate. You can view the certificate details (and export also) to verify. You can then accept the certificate.

    Hope this helps.
  12. petm

    petm Networkin' Nut Member

    alright, thanks. chrome now says that the router "presented a certificate issued by an entity that is not trusted by your computer's operating system".
    where can i see which entities are trusted by my windows xp? how can i tell it to trust my router?
  13. srouquette

    srouquette Network Guru Member

    That's what I replied.
    (@GreenThumb: he was talking about how his router can trust his certificate)

    Open Chrome settings, tab advanced settings, there's a button "certificates", click on that and look at the tabs. That's the list of trusted companies which create trusted certificates.
  14. petm

    petm Networkin' Nut Member

    ok. i see the tabs. which one do i choose and how do i add my routers certificate? apparently i have to import some file, not simply type an address.
  15. nojuan

    nojuan Networkin' Nut Member

    To add the certificate click "proceed anyway".
    Look in your settings again you will find it under personal certificate.
    You can verify the certificate before accepting by clicking the https lock icon.

    However, this looks like it is not supported in Chrome.
    The connection message that pops up when you click the https icon says
    "the server does not support TLS renegotiate extension".

    I can get it to work in Firefox and Opera.
  16. petm

    petm Networkin' Nut Member

    it says
    The connection had to be retried using SSL 3.0. This typically means that the server is using very old software and may have other security issues.
    The server does not support the TLS renegotiation extension.

    sounds like there is something which could be updated in tomato to fix this. or does chrome detect that wrongly?
    is that TLS thing what is necessary to verify the certificate?
  17. GreenThumb

    GreenThumb Addicted to LI Member

    Why does he need a list of "trusted companies?" Tomato generates its own self-signed certs. The whole point of this thread is to get the self-signed certs to be accepted by the browser. Again, you do NOT have to use a Certificate Authority to create certs. Anyone can create one. The problem is the browsers only trust certs from the CA's.

    My real question, though, is how can I transfer one of my certs I created to the router? I don't need a CA for my cert since it will be used by me and me alone.
  18. DavidCLT

    DavidCLT New Member Member

    With letsencrypt you no longer need to pay for a certificate so your browser. Tomato can't use the service to get it's own certificate . . . yet, but with a little work, you too can have a legitimate certificate for your secure connection. If there's any interest, I'll be happy to write up the steps.
    Johnny 5, The Master, Goggy and 2 others like this.
  19. The Master

    The Master LI Guru Member


    That would be very nice if you could make a how to with tomato.

    Thank you.

Share This Page