Web Admin Mod w/ SSL intermediate certificates

Discussion in 'Tomato Firmware' started by godyang, Apr 5, 2012.

  1. godyang

    godyang Serious Server Member

    1. Introduction

    I *very slightly* modified Toastman's source code to support SSL intermediate certificates. Intermediate certificates are also called "chain certificates", and typically commercial certificate authorities (CAs) use them. If you plan to install a commercial certificate on your router, you may need this mod.

    This simple mod is also useful if you want to deploy your private CA's root certificate via web admin pages. The original firmware only sends the server's certificate, so users have to manually download and install the root CA certificates. However with this mod, all chain certificates, including the root, can be visible on their web browsers.

    Please note that this mod is compatible to the original firmware, so anyone can install this mod regardless whether you need intermediate certificates or not. It doesn't even require to reconfigure your router.

    2. Download

    Binary based on Toastman's mod:
    MD5SUM: d2bb36dee7af8ec08cec17322c60f574
    SHA1SUM: 8326a735a7e5762151fd47f35dbd48938f52f98d
    (I'm sorry, but this is the only available binary now. I hope other modders to accept my simple diff, and build for many different environments.)

    Source diff:

    3. Root/Intermediate Certificate Installation

    (i) First off, follow TomatoUSB website's instruction. Yes, yes, I know the instruction doesn't deal with intermediate certificates, but just follow it first.

    (ii) Combile all PEM-formatted certificates together. The combined file should have not only your server certificate, but all the intermediate certificates. If you want to deploy your private root CA certificate, you may include it, too.

    Please note that your server certificate MUST be on top of the combined file. Thus, the new file will look like this:
    ... Server Certificate ...
    -----END CERTIFICATE-----
    ... CA Certificate 1 ...
    -----END CERTIFICATE-----
    ... CA Certificate 2 ...
    -----END CERTIFICATE-----
    (iii) Replace "/etc/cert.pem" by the combined file, and replace "/etc/key.pem" by your server private key.

    (iv) Tar and gzip all certificates and private key:
    tar -C / -czf /tmp/cert.tgz etc/cert.pem etc/key.pem
    (v) Save the compressed file to nvram:
    nvram setfb64 https_crt_file /tmp/cert.tgz
    nvram commit
    (vi) Restart the httpd service
    service httpd restart
  2. lancethepants

    lancethepants Network Guru Member

    That's pretty slick. That'd be nice to see this incorporated into newer releases of tomato. Maybe you can submit the patch, or get git repo access.
  3. mieszk3

    mieszk3 Serious Server Member

    Could you correct links if possible because these are dead.
  4. MatteoV

    MatteoV Networkin' Nut Member

    @Victek is this integrated in TomatoRAF?

  5. yodaphone

    yodaphone Reformed Router Member


    I tried & it works, but i lose the SSL Setup when i reboot. it defaults back to self signed cert. any idea why?
  6. KillerOfShadows

    KillerOfShadows New Member Member

    Hey yodaphone,

    I have the same issue occurring on AdvancedTomato 3.0-132 K26ARM USB AIO-64K on my Linksys EA6700. I'm not sure why it does this however in my case I did a workaround to fix this problem.

    I run a script on USB mount at USB & NAS, USB Support > Run after mounting
    rm /etc/cert.pem
    rm /etc/key.pem
    cp /mnt/RouterData/ssl/cert.pem /etc
    cp /mnt/RouterData/ssl/key.pem /etc
    service httpd restart
    What it does is accesses the USB drive I have connected (called RouterData) and copies the SSL cert and key from the ssl folder and then restarts the daemon (it deletes the generated certificate before doing this). You could also do something similar with under the Init script with the jffs file system.
    yodaphone likes this.
  7. yodaphone

    yodaphone Reformed Router Member

    Thanks... this works.

    None the less wonder why this happens?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice