2

Using the following links I believe I was able to create and install a certificate and authority for my router so that when I connect to it via HTTPS it won't give me the warning screen about the site not being trusted, and so that I know that I can trust it:

  1. https://github.com/RMerl/asuswrt-merlin/wiki/Generating-OpenVPN-keys-using-Easy-RSA
  2. https://gist.github.com/davidbalbert/6815258
  3. https://www.techrepublic.com/blog/apple-in-the-enterprise/managing-ssl-certificate-authorities-on-os-x/

And in fact I no longer get the warning message, but the https:// in the address bar is crossed out with two red lines and I do get the following error message:

net::ERR_CERT_COMMON_NAME_INVALID

So, my questions are:

  1. Is it indeed not secure; did I miss something?
  2. Or is this just Google Chrome being finicky and nothing I do will remove this?
  3. Or is there some way to remove it permanently?
Giacomo1968
  • 58,727
Jesse Yishaeyn
  • 21

1 Answers1

0

After much investigating I found the solution in a number of steps:

  • Generate keys as in RMerl's Generating OpenVPN keys using Easy RSA - However, you first need to change SHA1 to SHA256 in pkitool in 2 or 3 places as in HTTPS, easy-rsa, sha256, nginx - In 'vars' make sure to uncomment and assign export KEY_CN=hostname (such as 192.168.1.1), this being the hostname you use to connect to your router (this makes me think accessing the router from both outside and in could be a problem; maybe DDNS would solve this problem?) - When completing step ./build-key-server server1, make sure server1 is the same hostname as above - I changed export KEY_SIZE=2048 instead of 1024, don't know if Chrome will accept 1024 or not - Other steps are as in this document (I finished the client step because that is where signing happens but I don't know if it is necessary; I don't use the file)

  • Follow steps in davidbalbert's How to install custom SSL certificates on an ASUS RT-N66U running asuswrt-merlin

    • In this case I directly copied 192.168.1.1.key to key.pem and 192.168.1.1.cert to cert.pem.
    • Make sure to read comments about replacing an existing certificate, if applicable.

  • Copy the new certificate file, ca.crt, to your Mac, as in Managing SSL Certificate Authorities on OS X

    • You may need to reboot your Mac.

This did the trick and the red lines and warning messages are all gone! Now I can safely login to my router completely worry free from snooping; right?

For reference the firmware I have currently installed is version 3.0.0.4.380_4180

Giacomo1968
  • 58,727
Jesse Yishaeyn
  • 21