XII. Firewall/Security Features
How to apply a trusted certificate for HTTPS Router Management
SSL certificates are used by web browsers and other software to determine whether a site can be trusted for secured HTTPS communication. When accessing an HTTPS website, the client (typically the web browser) will examine the site's certificate and check the validity.
A site's certificate is normally signed by a third party certificate authority which acts as the 'trusted third party' to confirm that the certificate is authentic and not forged. Each browser has a list of Trusted Certificate Authorities which it trusts to sign certificates and it checks to see if the certificate has been signed by one of these trusted third party that it recognises.
If the details are valid and the certificate authority used to sign the site's certificate is recognised by the browser, the browser will allow the HTTPS site to show and will show that the certificate is valid. If the certificate authority is not recognised or if the details such as the hostname do not match with the site being accessed, the browser will show a warning message and it will not be possible to proceed to the site without making an exception.
To create a certificate that is recognised by others it needs to be signed by a certificate authority. A certificate authority will only sign a certificate if it recognises that the requester has the appropriate authority / ownership for the domain that the certificate is for. In practice this means that the ability to create a certificate for router.example.com requires the requester to have been granted authority to request certificates for subdomains of example.com. This means that it's typically not possible to create certificates for DDNS hostnames without contacting the owner of the domain (eg the DDNS provider, who may offer this as a service) or having your own domain.
Note: To configure the router with a custom self-signed certificate, which would not be signed by a certificate authority but by the router itself, follow this guide instead.
This example will use the subdomain "ssldemo.mailroute44.com" as the host name for the router and a free Certificate Authority called CA Cert to sign the router's generated certificate. This is not a Certificate Authority that will be recognised by web browsers by default so it's necessary to install the Root Certificates in the browser for the certificate to be recognised as valid.
The principles explained would be the similar with other Certificate Authorities but the steps for installing the Root Certificate would not be required if the Certificate Authority's certificate is already recognised by the web browser as would be for the larger CA's such as Comodo, Symantec, Go Daddy, GlobalSign, DigiCert, StartCom.
In a scenario where the router's interface would be customer facing, such as when using User Management with HTTPS, it would be helpful to have the certificate signed by a widely recognised authority so that end user's browsers would be able to recognise the validity of the certificate without any additional work needed. Check with the Certificate Authority being considered directly to see if they are included in web browsers.
When accessing a router using HTTPS, the router will use its self-signed certificate, which is not valid as it does not have valid identity details, nor does it have a trusted certificate authority. To resolve this, it's necessary to generate a certificate on the router with details that match the way in which it will be accessed and have it signed by a trusted certificate authority. The signed certificate is then uploaded to the router and selected for use with the router's SSL VPN / HTTPS Management interface.
Please note that the time and timezone of the router should both be correct before generating a certificate. These can be configured under [System Maintenance] > [Time and Date] by setting the router to "Use Internet Time" so that it gets its time from an NTP server.
To generate a certificate on the router, go to [Certificate Management] > [Local Certificate] and on there, click GENERATE.
After clicking Generate, there will be options shown for configuring the certificate, this example will use the Domain Name as the Subject Alternative Name and the Common Name (CN) is also set to the domain name used for the router. The Key Size has been increased to 2048 Bit to improve security.
Click the Generate button to generate a certificate.
Go to your Certificate Authority's page and create a new Server Certificate (naming may vary by provider):
In the router's web interface, go to [Certificate Management] > [Local Certificate] and click View for the certificate just generated - the state will show as Requesting until it's signed by the certificate authority:
The router will then show the certificate's details along with the certificate in PEM format, select all of the text in that text box and copy that text into the clipboard on the computer:
The Certificate Authority's page should require text in the same format so paste that in similarly to how it's shown below, add any other details as required by the CA then click Submit to continue the process:
The Certificate Authority may require a secondary confirmation which may show details from the certificate to confirm that the details are correct, click Submit to continue:
The Certificate Authority should then generate text similar to what's shown, select the text from the -----BEGIN CERTIFICATE----- line until the -----END CERTIFICATE----- line and paste that into a text editor such as Notepad:
In the text editor, select Save As... to save the file, this should be saved with a .pem extension, so this example will use RouterCert.pem:
This can then be loaded on the router by going to [Certificate Management] > [Local Certificate], on there, click the IMPORT button:
On the Import page, click Browse in the Upload Local Certificate section and point it to the .pem file created; the router will then show the filename of the selected certificate file. Click Import to load the certificate onto the router:
That will then upload through the router's web interface and will show a success message if the details are correct and the certificate uploads successfully:
Click Back as suggested which will go back to the Local Certificates view, the certificate should now show a state of OK instead of Requesting:
To use the certificate on the router instead of the self-signed certificate, go to [SSL VPN] > [General Setup] and set the Server Certificate to the one uploaded to the router, then click OK to apply the change:
Routers with firmware versions that support the DNS Filter will also need to have the host name configured under [System Maintenance] > [Management] under the Domain name allowed field, otherwise the router will block access from the hostname if the DNS Filter is enabled:
When accessing the router in a web browser, it should now show as a valid certificate. Please note that for this to work with the CA Cert authority used in this example, the browser must have CA Cert added as a Trusted Certificate Authority following the details on their website.
When checking the certificate, it should show the domain details used to identify the site in the Common Name (CN) field:
Once the certificate has been confirmed to be working as required, it is recommended to back up the certificate from the router so that it can be re-used if the DrayTek router hardware is changed or replaced. This is because the Private Key used to generate the Certificate Signing Request is internal to the router and is required to use the certificate. Backing up the router's certificates backs up the router's private key and certificates in an encrypted backup file.
Additional details can be found in this article: Backup and Restore the configuration of a DrayTek Vigor router
To back up the router's certificates, go to [Certificate Management] > [Certificate Backup], enter a password that will be required to decrypt/reinstall the certificate backup and click the Backup button to download the certificates from the router:
How do you rate this article?
- First Published: 06/05/2015
- Last Updated: 31/01/2017
Add a comment to this article
NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.