_______ ____ ____ __  __ ____  __   ______ ______
/_   __// __// __// /_/ // _ / / /  / __  // ____/
  / /  / __// /_ / __  // _ < / /_ / /_/ // /_  /
 /_/  /___//___//_/ /_//____//___//_____//_____/
  techblog.koponen.se

 [ / ] [ howto ] [ reviews ] [ webapps ] [ youtube ] [ links ] [ about ]
-------------------------------------------------------------------------

  techblog.koponen.se
 
 [ / ] 
 [ howto   ] [ reviews ] [ webapps ] 
 [ youtube ] [ about   ] [ links   ] 
-------------------------------------

HOWTO
CERTIFICATES
INSTALL PRIVATE KEY AND CERTIFICATE ON AN OPENWRT ROUTER

Published: 20211107

Tested on:
Hardware: Raspberry Pi 3 Model B+
Firmware: OpenWRT 21.02.0 bcm27xx-bcm2709

-

In a default install of OpenWRT (from https://openwrt.org/) you can install your own private key and certificate by following these steps:

In this example the following values are assumed:

1. AP means access point, but in this example AP is used for the device in question; whether it be an access point, a router, a network bridge, or just any type of device you wan't to install with OpenWRT.
2. The FQDN of your access AP is ap1.example.com
3. The IPv4 address of your AP is 192.0.2.1
4. You have a local DNS server with the hostname: ap1.example.com pointing to the right IPv4 address: 192.0.2.1 (This is important to get a proper browser experience.)

Let's get on with the work:

• Create your own key and certificate.

  (Instructions how to create your own CA and include it in your browser can be found here

  In this example we'll call the KEY-file: ap1.key and the CRT-file: ap1.crt I'm assuming the key and certificate are rendered on a workstation, not on the AP itself.

  There are two things you need to know:

  • When your CA signs the CSR (to create the CRT-file), there needs to be an extra EXT-file: ap1.ext, which looks like this (don't ask me why, I don't know yet. But I know it works with this, but not without this):

    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = ap1.example.com
    IP.1 = 192.0.2.1
    

  • The KEY-file needs to be converted into DER-format:

    $ openssl rsa -in ap1.key -outform DER -out ap1.key.der
    

• Make sure your AP is configured with the right hostname. This is done here:

  • Login into your webUI (aka "LuCI")
  • At the top, press the submenu "System"
  • In the submenu "System", press "System"
  • Make sure the first tab, "General Settings", is active. (If not, press it.)
  • In the box marked "Hostname", enter your FQDN (the one in the CN field of your CRT-file).
  • Press the blue button "Save & Apply" down at the bottom right.

• Transfer the KEY-file and the CRT-file to your AP. You can do this in two ways:

  1. Send the files by SCP

  or:

  2. Copy the files onto the SD card that holds the OpenWRT filesystem. (This step only work on models, i.e. a Raspberry Pi, where you can separate the AP from it's storage which is on an SD card.)

  The target destinations are:

  • the KEY-file: ap1.key.der -> ap1:/etc/uhttpd.key
  • the CRT-file: ap1.crt -> ap1:/etc/uhttpd.crt

• Restart your AP

If all works well, you should now be able to surf to https://ap1.example.com/ from your browser and the HTTPS certificate should be proper.