_______ ____ ____ __  __ ____  __   ______ ______
/_   __// __// __// /_/ // _ / / /  / __  // ____/
  / /  / __// /_ / __  // _ < / /_ / /_/ // /_  /
 /_/  /___//___//_/ /_//____//___//_____//_____/
  techblog.koponen.se

 [ / ] [ howto ] [ reviews ] [ webapps ] [ youtube ] [ links ] [ about ]
-------------------------------------------------------------------------

  techblog.koponen.se
 
 [ / ] 
 [ howto   ] [ reviews ] [ webapps ] 
 [ youtube ] [ about   ] [ links   ] 
-------------------------------------

HOWTO
CERTIFICATES
INSTALL PRIVATE KEY AND CERTIFICATE ON WIRELESS ROUTER GL.INET GL-AR750S SLATE

Published: 20211107

Tested on:
Hardware: GL.iNet GL-AR750S (aka "Slate")
Firmware: 3.104 (2020-04-27 17:57:57)

-

The default firmware that comes with the GL-AR750S "Wireless Travel Router" is based on OpenWRT. It has a very nice webUI, but if you want to tinker with it you can use CLI via SSH or reach the LuCI interface via a few clicks.

This makes this router easy to install with your own private key and certificate.

In this example the following values are assumed:

1. The FQDN of your wireless router is router1.example.com
2. The IPv4 address of your wireless router is 192.0.2.1
3. You have a local DNS server with the hostname: router1.example.com pointing to the right IPv4 address: 192.0.2.1 (This is important to get a proper browser experience.)

Let's get on with the work:

• Create your own key and certificate.

  (Instructions how to create your own CA and include it in your browser can be found here

  In this example we'll call the KEY-file: router1.key and the CRT-file: router1.crt I'm assuming the key and certificate are rendered on a workstation, not on the wireless router itself.

  There is one thing you need to know:

  • When your CA signs the CSR (to create the CRT-file), there needs to be an extra EXT-file: router1.ext, which looks like this (don't ask me why, I don't know yet. But I know it works with this, but not without this):

    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = router1.example.com
    IP.1 = 192.0.2.1
    

• Make sure your AP is configured with the right hostname. This is done here:

  • Login into your webUI
  • In the left menu, press the cog wheel marked "MORE SETTINGS"
  • In the submenu, press "Advanced"
  • You will now be presented with the LuCI interface.

  In this interface, you use your regular password, but with the user "root" instead of "admin".

  • Login into your webUI (aka "LuCI")
  • At the top, press the submenu "System"
  • In the submenu "System", press "System"
  • Make sure the first tab, "General Settings", is active. (If not, press it.)
  • In the box marked "Hostname", enter your FQDN (the one in the CN field of your CRT-file).
  • Press the blue button "Save & Apply" down at the bottom right.

• Transfer the KEY-file and the CRT-file to your router.

  But first you need to merge them into one file:

  $ cat router1.key router1.crt > router1.pem
  

  Transfer the new PEM-file via SCP (SSH) to your router.

  The target destinations is:

  • the PEM-file: router1.pem -> router1:/etc/lighttpd/server.pem

• Restart your router.

If all works well, you should now be able to surf to https://router1.example.com/ from your browser and the HTTPS certificate should be proper.