RVL200 Certificate Management

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by spaminacan, Sep 1, 2007.

  1. spaminacan

    spaminacan LI Guru Member

    I have a quick question. Or just mabey I am showing off my noobness.

    SSL Certificates require 3 types of verification to authenticate.

    1. A valid CA authority.
    2. A valid server side certificate authorized by a valid CA authority.
    3. A valid client side certificate authorized by the same CA authority as the server.

    I absolutely love my rvl200, but I get nervous when connecting to it from outside my network. I have viewed the certificate and I have installed it on the remote computer I am accessing it from. I even see the thumbprint that it accepts so I have a warm and fuzzy feeling that everything is ok. The problem is that I still see the certificate error (symbolized by the red shielded X in IE7).

    How do I fix this. I believe I am getting this error because the name of the device does not match the name on the certificate. I can fix this by importing my own personal signed certificate, but I know since that is what I want, I can't have it. Yes I know that Linksys routers only accept certificates that they generate.

    How do I fix this.

  2. xlr8

    xlr8 LI Guru Member

    Here's what I did and it seemed to work nicely on my RVL200 and I don't get any SSL errors any more.

    Download and install OpenSSL ( http://www.slproweb.com/products/Win32OpenSSL.html ) - you really only need OpenSSL light.

    Open up a command prompt and browse to the directory where openssl was installed.

    Run the following commands:
    openssl genrsa -out key.pem 1024
    *a secure key will be generated

    openssl req -new -key key.pem -out request.pem
    *a certificate request will be generated, you be prompted for information... for "Common Name" be sure to put the domain name you use to access your RVL200.

    openssl req -x509 -days 3652 -key key.pem -in request.pem -out certificatetemp.pem
    *turns your request into a certificate (expires in 10 years)

    copy /B "key.pem"+"certificatetemp.pem" "certificate.pem"
    *concatenates the key and the certificate so it'll install on your RVL200.

    After you do that you can import certificate.pem into your RVL200. It should take it. The first time you browse to your RVL200, you'll need to install the certificate in your trusted root certification authorities (since it's self-generated) and you'll be set.
  3. Toxic

    Toxic Administrator Staff Member

    I hope this works, I'd like this to be added to the Tutorials!

    Nice find!
  4. spaminacan

    spaminacan LI Guru Member

    You are the MAN!!!!

    Better yet...

    You are the guy who knows the MAN!!!! You don't want to be the MAN because everyone starts gunning for you ehhehehe.

    Yes, Yes, Yes it worked. Thank you so much, I can not tell you how much it was driving me nuts.

    I would highly recommend this be put into the documentation.

    XLR8 thank you again.

  5. xlr8

    xlr8 LI Guru Member

    Happy to have helped and glad it worked for you. It's nice not having a certificate error everytime you hit your VPN page. :)
  6. RVL200 SSL VPN using OpenSSL cert

    Thanks for awesome tutorial ... worked great for me also.
    Question: Is it possible to restrict access to RVL200 using client certs?


  7. rhyven

    rhyven Guest

    Automation script for RVL200 VPN

    Thanks so much. Worked perfectly, not particularly confusing even for someone not well versed in certificates.

    To help users with the rigmarole in making the initial connection to the VPN, I made a batch file & uploaded it to my website. Users then first run the script from there, which sets everything up. Thought I'd post the script here in case it helps anyone in the future:

    REM Add server to the hosts file to get around DNS issue.  Replace SERVER_NAME
    REM with the name of your server, and enter the correct IP Address for it.
    REM NOTE this part of the script deletes the current hosts file & recreates it; if 
    REM you've got stuff in your hosts file that you want to keep, simply delete the  REM second line.
    attrib -r %windir%\system32\drivers\etc\hosts
    echo  localhost > %windir%\system32\drivers\etc\hosts
    echo 192.168.xxx.xx  SERVER_NAME >> %windir%\system32\drivers\etc\hosts
    REM This next part creates a shortcut to your VPN Sign-in page on the desktop.
    REM Make sure you change the part that says STATIC_IP_GOES_HERE.  Replace
    REM it with either your static IP address or a URL pointing to your VPN server.
    echo [InternetShortcut] > "%USERPROFILE%\Desktop\VPN.url"
    echo URL=https://STATIC_IP_GOES_HERE/ >> "%USERPROFILE%\Desktop\VPN.url"
    echo IDList=[{000214A0-0000-0000-C000-000000000046}] >> "%USERPROFILE%\Desktop\VPN.url"
    echo Prop3=19,11 >> "%USERPROFILE%\Desktop\VPN.url"
    REM The next part creates the certificate in the user's folder.  You will need to
    REM use a text editor to read the certificate, and paste the certificate details in 
    REM place of the xxx's.  There should be about 17 lines of certificate.
    echo -----BEGIN CERTIFICATE----- > "%USERPROFILE%\VPN.cer"
    echo xxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> "%USERPROFILE%\VPN.cer"
    echo xxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> "%USERPROFILE%\VPN.cer"
    echo xxxxxxxxxxxxxxxxxxxxxxxxxxxxx >> "%USERPROFILE%\VPN.cer"
    echo -----END CERTIFICATE----- >> "%USERPROFILE%\VPN.cer"
    REM The following line runs the certificate, which will prompt the user to add it
    REM to the Trusted Cert store. The user simply clicks Start, Next, Next, Finish, Yes.
    REM Finally, the script deletes the certificate from the user's folder.
    del "%USERPROFILE%\VPN.cer"
    Copy the code above and save it as a .cmd file. You can then upload the .cmd file to your website. Users can then run the script by clicking Start -> Run... and entering the following command (again, replacing the URL and file name with those applicable to your setup:

    iexplore http://www.xxxxxxxxx.com/installVPN.cmd
    Hope this helps someone.

    - Eric
  8. leo168

    leo168 Guest

    Is it possible to restrict access to RVL200 using client certs?

    Thanks, I have the same question:

    Is it possible to restrict access to RVL200 using client certs?

    It feels quite scary when anyone can access your entire network if they simply know your username and password. I am going to only let a few laptops access my network...

    Thanks in advance:thumbup:

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice