I'm having a few problems setting up certificates on my 2862 (firmware version 3.8.7, but also when it was running 3.8.6 as supplied). I'm sure I must be doing something wrong, but I can't figure out what it is.

The first problem is when I create a Root CA certificate on the router, the status shows up as "Not Yet Valid" and the validity dates are wrong. For instance, I just generated a certificate (on 27th February 2018). The Valid From is shown as "Apr 25 00:04:25 2066 GMT" and the Valid To is "Jan 2 00:04:25 2080 GMT".

The time and time zone (GMT) are correct on the router. Changing the time zone to, e.g., Taiwan doesn't fix it either.

Is there a trick to his? Or could it be a bug? It may be a coincidence, but it looks like the start date, in days since 1st Jan 1970, might be double what it should be.

I tried importing certificates to the device instead, both as PEM and as PKCS#12 files. Trusted CA certificates in PEM format uploaded fine, but Local certificates were finicky. I couldn't get it to accept password protected keys, either with Upload PKCS12 Certificate or with Upload Certificate and Private Key. I was definitely supplying the correct password! What sort of encryption does it expect?

I couldn't get Upload Certificate to take any file I gave it. In the end I could only get Upload Certificate and Private Key to work, as long as the key was unencrypted. Is that normal?

The final problem was with the SSL connection using the uploaded certificate. The router seems to be sending only the server's certificate. That's fine if the certificate is self-signed, or if it is signed by a Root CA, but if it's signed by an Intermediate CA, the browser can't verify the certificate.

The router ought to be sending either the complete chain, or at least the server certificate and the intermediate CA. Is there any way to get it to do this?

I've tried supplying a file with the full trust chain in to Upload Certificate and Private Key. It accepts the file, but it still only sends the server certificate to the browser. I've tried installing the intermediate CA as a second Trusted Root, in the hope that the router would build the trust chain itself and send it to the web client, but it doesn't seem to do it.

Obviously I can work around the problem for the time being by installing the intermediate CA in the browser, but it's not an ideal solution. Again, it ought to be possible, shouldn't it?

Any pointers would be gratefully received. Thanks!

Jonathan

I'm having exactly the same problem in that the router is not sending the intermediate certificate. Did you manage to resolve this problem?

gbsltd wrote: I'm having exactly the same problem in that the router is not sending the intermediate certificate. Did you manage to resolve this problem?

I'm afraid not. I had had so many problems that I just worked around it and haven't come back to it yet.

If I remember correctly there was a suggestion (in another thread) that a future patch would increase a file size limit to allow a certificate file containing larger intermediate certificates to be installed. I wondered if that would come with a fix to make it actually send the chain. I had intended to come back to it if I heard any more about that.

The firmware does support adding an Intermediate certificate but the method is specific to only the Upload Certificate and Private Key import method currently.

All you need to do is put both the certificate (1st entry) and intermediate cert (2nd entry) into the same text file i.e.

Code:

-----BEGIN CERTIFICATE----- Router Certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Intermediate Certificate -----END CERTIFICATE-----

and upload that to the router with the private key, then the router can respond with the certificate chain for HTTPS connections.

It does however mean that the router itself can't get the certificate signed with a certificate signing request or load a P12 file, but those methods should support an intermediate certificate soon as well.

The Larch wrote: I'm afraid not.

Thank you for replying anyway.

admin3 wrote: the router itself can't get the certificate signed with a certificate signing request

Can you clarify this for me please? I generated a CSR from the router directly and used it to get the certificate. Will the support for other methods that is coming 'soon' allow this to work? If so, will it just be a case of following your instructions but on Upload Local Certificate instead?

Sadly, the CSR method directly on the router has been found to not include / allow the intermediate certificate when importing it back to the router. The PFX/P12 certficate type also strips out the intermediate cert when uploading it to the router. These two problems were only spotted fairly recently. It's being looked into by the firmware team but I can't give more details than that right now.

When it does work, it should operate just like in my previous post, adding the intermediate cert to the router's cert from the certificate authority and uploading. I think some providers also supply a 'bundle' certificate which does just that by including the certificate and the required intermediate certificates, it should be possible to just upload that to the router.