FreshTomato Wiki

User Tools

Site Tools

Trace:
custom_ssl_cert_local_cert_authority

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
custom_ssl_cert_local_cert_authority [2025/11/12 23:13] – [Create the Root Authority Self-signed Certificate] -Formatting hogwildcustom_ssl_cert_local_cert_authority [2025/11/13 01:57] (current) – [Prerequisites] -Formatting hogwild
Line 18: Line 18:
 ===== Prerequisites ===== ===== Prerequisites =====
  \\   \\ 
-  - A FreshTomato router with approximately 2.5 kB of free NVRAM. \\ (Check "Used / Total NVRAM" in the Overview menu) +  - A FreshTomato router with approximately 2.5 kB of free NVRAM. \\ (Check "Used / Total NVRAM" in the Overview menu) \\ \\ 
   - Any Linux distro with which you are comfortable. \\ The Certificate Authority will be built in the "/root/ca" directory.   - Any Linux distro with which you are comfortable. \\ The Certificate Authority will be built in the "/root/ca" directory.
  \\   \\ 
Line 180: Line 179:
  \\   \\ 
  \\   \\ 
- 
 ===== Create the Root Authority Self-signed Certificate ===== ===== Create the Root Authority Self-signed Certificate =====
  
Line 211: Line 209:
  
 ===== Create the Intermediate Authority ===== ===== Create the Intermediate Authority =====
- + \\  
- \\ Create a directory named: "intermediate", and inside it, subdirectories named: "certs", "crl", "newcerts", "private", "csr" and "client keys": \\   \\   \\ ''mkdir -p intermediate/{certs,crl,newcerts,private,csr,client_keys}'' \\   \\   \\   \\   \\ Change directories to "intermediate": \\   \\   \\ ''cd intermediate'' \\   \\   \\   \\   \\ Set full permissions on the "private" directory for the user only:\\   \\   \\ ''chmod 700 private'' \\   \\   \\   \\   \\ Create a file: "index.txt" which will serve as the CA database. This plain text file records every certificate the CA has issued, including its status, expiration date, revocation date if applicable, serial number, and certificate subject. Each line corresponds to one certificate and helps the CA keep track of certificates it has issued and their current status:\\   \\   \\ ''touch index.txt'' \\   \\   \\   \\   \\ Generate the word "1000" and redirect the output to the "serial" file: \\   \\   \\ ''echo 1000 > serial'' \\   \\   \\   \\   \\ Print the words "1000" to the file: "crlnumber": \\   \\   \\ ''echo 1000 > crlnumber'' \\   \\   \\   \\   \\ Run the nano editor and open the "openssl.cnf" file: \\   \\   \\ ''nano /root/ca/intermediate/openssl.cnf'' \\   \\   \\   \\   \\ After the file opens, //**you** //must copy the contents of the "IntermediateCA.openssl.cnf" file on this wiki page and paste it into the "openssl.cnf" file and save it. \\   \\   \\   \\ +Create a directory named: "intermediate", and inside it, subdirectories named: "certs", "crl", "newcerts", "private", "csr" and "client keys": \\  
 + \\  
 + \\  
 +''mkdir -p intermediate/{certs,crl,newcerts,private,csr,client_keys}'' \\  
 + \\  
 + \\  
 + \\  
 + \\  
 +Change directories to "intermediate": \\  
 + \\  
 + \\  
 +''cd intermediate'' \\  
 + \\  
 + \\  
 + \\  
 + \\  
 +Set full permissions on the "private" directory for the user only: \\  
 + \\  
 + \\ ''chmod 700 private'' \\  
 + \\  
 + \\  
 + \\  
 + \\  
 +Create a file: "index.txt" that will serve as the CA database. This plain text file records every certificate the CA has issued, including its status, expiration date, revocation date if applicable, serial number, and certificate subject. Each line corresponds to one certificate and helps the CA keep track of certificates it has issued and their current status: \\  
 + \\  
 + \\ ''touch index.txt'' \\  
 + \\  
 + \\  
 + \\  
 + \\  
 +Generate the word "1000" and redirect the output to the "serial" file: \\  
 + \\  
 + \\  
 +''echo 1000 > serial'' \\  
 + \\  
 + \\  
 + \\  
 + \\  
 +Print the words "1000" to the file: "crlnumber": \\  
 + \\  
 + \\  
 +''echo 1000 > crlnumber'' \\  
 + \\  
 + \\  
 + \\  
 + \\  
 +Run the nano editor and open the "openssl.cnf" file: \\  
 + \\  
 + \\  
 +''nano /root/ca/intermediate/openssl.cnf'' \\  
 + \\  
 + \\  
 + \\  
 + \\  
 +After the file opens, //**you** // must copy the contents of the "IntermediateCA.openssl.cnf" file on this wiki page and paste it into the "openssl.cnf" file and save it. \\  
 + \\  
 + \\  
 + \\ 
  
 ===== Create the Intermediate Authority Key ===== ===== Create the Intermediate Authority Key =====
Line 232: Line 286:
  \\   \\ 
 ===== Creating an Intermediate Certificate Request to Root ===== ===== Creating an Intermediate Certificate Request to Root =====
- + \\  
- \\ Create a certifcate signing **req**uest for the intermediate CA, using settings in the "openssl.cnf" file, generate an SHA256 hash of the key so the CA signing the certificate can verify the integrity of the received key, and save the request to the: "csr" directory of the root CA:\\   \\   \\ ''openssl req -config /root/ca/intermediate/openssl.cnf \ -new -sha256 -key private/intermediate.key.pem \ -out /root/ca/csr/intermediate.csr.pem'' \\   \\   \\   \\ +Create a certifcate signing **req**uest for the intermediate CA, using settings in the "openssl.cnf" file, generate an SHA256 hash of the key so the CA signing the certificate can verify the integrity of the received key, and save the request to the: "csr" directory of the root CA: \\  
- + \\  
 + \\  
 +''openssl req -config /root/ca/intermediate/openssl.cnf \ -new -sha256 -key private/intermediate.key.pem \ -out /root/ca/csr/intermediate.csr.pem'' \\  
 + \\  
 + \\  
 + \\ 
 ===== Create the Intermediate Certificate ===== ===== Create the Intermediate Certificate =====
  \\   \\ 
Line 288: Line 346:
  
 ===== Create a Certificate Chain File ===== ===== Create a Certificate Chain File =====
- + \\  
- \\ Use the concatenate command to combine the root and intermediate certificates, in ascending order of trust, into one file: \\   \\   \\ ''cat certs/intermediate.cert.pem /root/ca/certs/ca.cert.pem > certs/ca-chain.cert.pem '' \\   \\   \\   \\   \\ Change permissions on the "chain.cert.pem" file to read-only for the user, group and others: \\   \\   \\ ''chmod 444 certs/ca-chain.cert.pem''  \\   \\   \\ CONSTRUCTION+Use the concatenate command to combine the root and intermediate certificates, in ascending order of trust, into one file: \\  
 + \\  
 + \\  
 +''cat certs/intermediate.cert.pem /root/ca/certs/ca.cert.pem > certs/ca-chain.cert.pem '' \\  
 + \\  
 + \\  
 + \\  
 + \\  
 +Change permissions on the "chain.cert.pem" file to read-only for the user, group and others: \\  
 + \\  
 + \\  
 +''chmod 444 certs/ca-chain.cert.pem'' \\  
 + \\  
 + \\  
 +CONSTRUCTION
  
 OF  THE OF  THE
Line 295: Line 367:
 CERTIFICATE   AUTHORTY CERTIFICATE   AUTHORTY
  
-IS  NOW COMPLETE \\   \\   \\   \\ +IS  NOW COMPLETE \\  
- + \\  
 + \\  
 + \\ 
 ===== Create a Key and Certificates for FreshTomato ===== ===== Create a Key and Certificates for FreshTomato =====
 ==== Create a FreshTomato Key Using EC PRIME256V1 ==== ==== Create a FreshTomato Key Using EC PRIME256V1 ====
Line 315: Line 388:
  \\   \\ 
  \\   \\ 
- 
  
 ==== Create a Freshtomato Certificate Signing Request ==== ==== Create a Freshtomato Certificate Signing Request ====
Line 349: Line 421:
  \\   \\ 
  \\   \\ 
- \\ + \\ 
- +
 ==== Sign the Certificate with the Intermediate Certificate Authority ==== ==== Sign the Certificate with the Intermediate Certificate Authority ====
  \\   \\ 
Line 362: Line 432:
  \\   \\ 
 ==== Set up Root with Elliptical Curve SSH Keys ==== ==== Set up Root with Elliptical Curve SSH Keys ====
- \\  + 
-(This is done with root credentials because the certificates must be installed in FreshTomato. Using root access helps avoid unsecured steps in between). \\  +\\  (This is done with root credentials because the certificates must be installed in FreshTomato. Using root access helps avoid unsecured steps in between). \\  \\  Change to the: "/root" directory: \\  \\  \\  ''cd /root'' \\  \\  \\  \\  \\  Generate a public/private SSH key pair using the Ed25519 hashing algorithm. Add a comment containing a default email address to the key: \\  \\  \\  ''ssh-keygen -t ed25519 -C "your_email@example.com"''\\  \\  \\  \\  \\  Display the contents of the public SSH key file: "/root/.ssh/id_ed25519.pub": \\  \\  \\  ''cat /root/.ssh/id_ed25519.pub'' \\  (The contents should look similar to: "ssh-ed25519 AAA....Oo your_email@example.com". Copy all of it for use in the next step.\\  \\  \\  \\  \\  Now, connect to the router's web interface and go to the Admin Access menu. In the SSH Server section, paste the output copied from the previous step in the "Authorized keys" section). \\  \\  \\  Uncheck: \\
- \\  +
-Change to the: "/root" directory: \\  +
- \\  +
- \\  +
-''cd /root'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Generate a public and private SSH key pair using the Ed25519 hashing algorithm. Add a comment containing a default email address to the key: \\  +
- \\  +
- \\  +
-''ssh-keygen -t ed25519 -C "your_email@example.com"'' FIXME \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Display the contents of the public SSH key file: "/root/.ssh/id_ed25519.pub": \\  +
- \\  +
- \\  +
-''cat /root/.ssh/id_ed25519.pub'' \\  +
-(The contents should look similar to: "ssh-ed25519 AAA....Oo your_email@example.com" copy the whole thing) FIXME \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Now, connect to the router's web interface and go to the Admin Access menu. In the SSH Server section, paste the output copied from the previous step in the "Authorized keys" section). \\  +
- \\  +
- \\  +
-Uncheck: \\+
  
   * "Allow password login"   * "Allow password login"
   *  "WAN access"   *  "WAN access"
  
- \\  Now, check: \\+\\  Now, check: \\
  
   * "Enable on Startup", then "Save." \\   * "Enable on Startup", then "Save." \\
- \\  + 
- \\  +\\  \\  \\  \\  Finally, click "Start Now" to restart the SSH server. \\  \\  \\  \\
- \\  +
- \\   +
-Finally, click "Start Now" to restart the SSH server. \\   \\   \\   \\+
  
  
Line 466: Line 503:
  \\   \\ 
  \\    \\  
-Run the stream text editor tool and make it open the "cert.pem" file in place, overwriting any changes and cutting off content after the words: "END CERTIFICATE":    \\ +Run the stream text editormake it open the "cert.pem" file in place, overwriting any changes and cutting off content after the words: "END CERTIFICATE": \\  
  \\   \\ 
  \\   \\ 
- \\  +''sed -i "/END CERTIFICATE/q" /etc/cert.pem'' \\  
-''sed -i "/END CERTIFICATE/q" /etc/cert.pem'' \\ +
  \\   \\ 
  \\   \\ 
Line 496: Line 532:
  \\   \\ 
 ''nvram set https_crt_file="$(/usr/sbin/openssl enc -base64 < /tmp/cert.tar.gz | tr -d '\n')"'' \\  ''nvram set https_crt_file="$(/usr/sbin/openssl enc -base64 < /tmp/cert.tar.gz | tr -d '\n')"'' \\ 
- \\ 
  \\   \\ 
- \\+ \\  
 + \\ 
  \\   \\ 
 Commit all the changes to NVRAM: \\  Commit all the changes to NVRAM: \\ 
- \\+ \\ 
  \\   \\ 
 ''nvram commit'' \\  ''nvram commit'' \\ 
- \\ 
  \\   \\ 
- \\+ \\  
 + \\ 
  \\   \\ 
 Finally, restart the HTTP daemon: \\  Finally, restart the HTTP daemon: \\ 
Line 519: Line 555:
 The process is now complete. Now, you should be able to access your FreshTomato web interface using the custom certificates you created with your own CA. If something isn't working, review all steps and double-check that they were properly completed. \\  The process is now complete. Now, you should be able to access your FreshTomato web interface using the custom certificates you created with your own CA. If something isn't working, review all steps and double-check that they were properly completed. \\ 
  \\   \\ 
- \\+ \\ 
  
  
Line 537: Line 573:
  \\   \\ 
  \\   \\ 
-Since r2025.3, FreshTomato doesn't require the CN to match the Hostname. The following steps will allow you test your setup to verify this. However, please note that testing this could cause FreshTomato to overwrite your custom cert. If it does happens, just upload your certificate again and SSH will still function fine. \\ +Since r2025.3, FreshTomato doesn't require the CN to match the Hostname. The following steps will allow you test your setup to verify this. However, please note that testing this could cause FreshTomato to overwrite your custom cert. If it does happens, upload your certificate again and SSH will still function fine. \\  
- \\+ \\ 
   * In the web interface, go to the [[admin_access|Admin Access]] menu and check the CN under "SSL Certificate". \\ \\    * In the web interface, go to the [[admin_access|Admin Access]] menu and check the CN under "SSL Certificate". \\ \\ 
   * Connect via SSH to FreshTomato and run the following commands:   * Connect via SSH to FreshTomato and run the following commands:
Line 547: Line 583:
   * When the router is accessible again you'll notice that the certificate is still working fine. \\ Go back to the [[admin_access|Admin Access]] page and you will see the CN is now "some.random.thing" \\ \\    * When the router is accessible again you'll notice that the certificate is still working fine. \\ Go back to the [[admin_access|Admin Access]] page and you will see the CN is now "some.random.thing" \\ \\ 
   * If you clicked "Save" at the bottom of the page, or reboot the router from the web interface, your cert would be overwritten. \\ \\    * If you clicked "Save" at the bottom of the page, or reboot the router from the web interface, your cert would be overwritten. \\ \\ 
-  * At this point you can go back to SSH and change back your CN and commit or, of test it further. \\+  * At this point you can go back to SSH and change back your CN and commit or, of test it further. \\  
 + \\  
 + \\  
 + \\ 
  
  
custom_ssl_cert_local_cert_authority.1762989194.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki