FreshTomato Wiki

User Tools

Site Tools

Trace: custom_ssl_cert_local_cert_authority
custom_ssl_cert_local_cert_authority

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
custom_ssl_cert_local_cert_authority [2025/11/12 23:23] – [Create a Freshtomato Certificate Signing Request] hogwildcustom_ssl_cert_local_cert_authority [2025/11/13 01:57] (current) – [Prerequisites] -Formatting hogwild
Line 18: Line 18:
 ===== Prerequisites ===== ===== Prerequisites =====
  \\   \\ 
-  - A FreshTomato router with approximately 2.5 kB of free NVRAM. \\ (Check "Used / Total NVRAM" in the Overview menu) +  - A FreshTomato router with approximately 2.5 kB of free NVRAM. \\ (Check "Used / Total NVRAM" in the Overview menu) \\ \\ 
   - Any Linux distro with which you are comfortable. \\ The Certificate Authority will be built in the "/root/ca" directory.   - Any Linux distro with which you are comfortable. \\ The Certificate Authority will be built in the "/root/ca" directory.
  \\   \\ 
Line 433: Line 432:
  \\   \\ 
 ==== Set up Root with Elliptical Curve SSH Keys ==== ==== Set up Root with Elliptical Curve SSH Keys ====
- \\  + 
-(This is done with root credentials because the certificates must be installed in FreshTomato. Using root access helps avoid unsecured steps in between). \\  +\\  (This is done with root credentials because the certificates must be installed in FreshTomato. Using root access helps avoid unsecured steps in between). \\  \\  Change to the: "/root" directory: \\  \\  \\  ''cd /root'' \\  \\  \\  \\  \\  Generate a public/private SSH key pair using the Ed25519 hashing algorithm. Add a comment containing a default email address to the key: \\  \\  \\  ''ssh-keygen -t ed25519 -C "your_email@example.com"''\\  \\  \\  \\  \\  Display the contents of the public SSH key file: "/root/.ssh/id_ed25519.pub": \\  \\  \\  ''cat /root/.ssh/id_ed25519.pub'' \\  (The contents should look similar to: "ssh-ed25519 AAA....Oo your_email@example.com". Copy all of it for use in the next step.\\  \\  \\  \\  \\  Now, connect to the router's web interface and go to the Admin Access menu. In the SSH Server section, paste the output copied from the previous step in the "Authorized keys" section). \\  \\  \\  Uncheck: \\
- \\  +
-Change to the: "/root" directory: \\  +
- \\  +
- \\  +
-''cd /root'' \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Generate a public and private SSH key pair using the Ed25519 hashing algorithm. Add a comment containing a default email address to the key: \\  +
- \\  +
- \\  +
-''ssh-keygen -t ed25519 -C "your_email@example.com"'' FIXME \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Display the contents of the public SSH key file: "/root/.ssh/id_ed25519.pub": \\  +
- \\  +
- \\  +
-''cat /root/.ssh/id_ed25519.pub'' \\  +
-(The contents should look similar to: "ssh-ed25519 AAA....Oo your_email@example.com" copy the whole thing) FIXME \\  +
- \\  +
- \\  +
- \\  +
- \\  +
-Now, connect to the router's web interface and go to the Admin Access menu. In the SSH Server section, paste the output copied from the previous step in the "Authorized keys" section). \\  +
- \\  +
- \\  +
-Uncheck: \\+
  
   * "Allow password login"   * "Allow password login"
   *  "WAN access"   *  "WAN access"
  
- \\  Now, check: \\+\\  Now, check: \\
  
   * "Enable on Startup", then "Save." \\   * "Enable on Startup", then "Save." \\
- \\  + 
- \\  +\\  \\  \\  \\  Finally, click "Start Now" to restart the SSH server. \\  \\  \\  \\
- \\  +
- \\   +
-Finally, click "Start Now" to restart the SSH server. \\   \\   \\   \\+
  
  
Line 537: Line 503:
  \\   \\ 
  \\    \\  
-Run the stream text editor tool and make it open the "cert.pem" file in place, overwriting any changes and cutting off content after the words: "END CERTIFICATE":    \\  +Run the stream text editormake it open the "cert.pem" file in place, overwriting any changes and cutting off content after the words: "END CERTIFICATE": \\  
- \\ +
  \\   \\ 
  \\   \\ 
-''sed -i "/END CERTIFICATE/q" /etc/cert.pem'' \\ +''sed -i "/END CERTIFICATE/q" /etc/cert.pem'' \\  
  \\   \\ 
  \\   \\ 
Line 567: Line 532:
  \\   \\ 
 ''nvram set https_crt_file="$(/usr/sbin/openssl enc -base64 < /tmp/cert.tar.gz | tr -d '\n')"'' \\  ''nvram set https_crt_file="$(/usr/sbin/openssl enc -base64 < /tmp/cert.tar.gz | tr -d '\n')"'' \\ 
- \\ 
  \\   \\ 
- \\+ \\  
 + \\ 
  \\   \\ 
 Commit all the changes to NVRAM: \\  Commit all the changes to NVRAM: \\ 
- \\+ \\ 
  \\   \\ 
 ''nvram commit'' \\  ''nvram commit'' \\ 
- \\ 
  \\   \\ 
- \\+ \\  
 + \\ 
  \\   \\ 
 Finally, restart the HTTP daemon: \\  Finally, restart the HTTP daemon: \\ 
Line 590: Line 555:
 The process is now complete. Now, you should be able to access your FreshTomato web interface using the custom certificates you created with your own CA. If something isn't working, review all steps and double-check that they were properly completed. \\  The process is now complete. Now, you should be able to access your FreshTomato web interface using the custom certificates you created with your own CA. If something isn't working, review all steps and double-check that they were properly completed. \\ 
  \\   \\ 
- \\+ \\ 
  
  
Line 608: Line 573:
  \\   \\ 
  \\   \\ 
-Since r2025.3, FreshTomato doesn't require the CN to match the Hostname. The following steps will allow you test your setup to verify this. However, please note that testing this could cause FreshTomato to overwrite your custom cert. If it does happens, just upload your certificate again and SSH will still function fine. \\ +Since r2025.3, FreshTomato doesn't require the CN to match the Hostname. The following steps will allow you test your setup to verify this. However, please note that testing this could cause FreshTomato to overwrite your custom cert. If it does happens, upload your certificate again and SSH will still function fine. \\  
- \\+ \\ 
   * In the web interface, go to the [[admin_access|Admin Access]] menu and check the CN under "SSL Certificate". \\ \\    * In the web interface, go to the [[admin_access|Admin Access]] menu and check the CN under "SSL Certificate". \\ \\ 
   * Connect via SSH to FreshTomato and run the following commands:   * Connect via SSH to FreshTomato and run the following commands:
Line 618: Line 583:
   * When the router is accessible again you'll notice that the certificate is still working fine. \\ Go back to the [[admin_access|Admin Access]] page and you will see the CN is now "some.random.thing" \\ \\    * When the router is accessible again you'll notice that the certificate is still working fine. \\ Go back to the [[admin_access|Admin Access]] page and you will see the CN is now "some.random.thing" \\ \\ 
   * If you clicked "Save" at the bottom of the page, or reboot the router from the web interface, your cert would be overwritten. \\ \\    * If you clicked "Save" at the bottom of the page, or reboot the router from the web interface, your cert would be overwritten. \\ \\ 
-  * At this point you can go back to SSH and change back your CN and commit or, of test it further. \\+  * At this point you can go back to SSH and change back your CN and commit or, of test it further. \\  
 + \\  
 + \\  
 + \\ 
  
  
custom_ssl_cert_local_cert_authority.1762989813.txt.gz · Last modified: by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki