DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Certificate for SSL Import.

  • sheltons
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
22 Oct 2018 15:04 #7 by sheltons
Replied by sheltons on topic Re: Certificate for SSL Import.

admin3 wrote: It seems then that the Tomcat certificate output from Godaddy is the correct one, but it's odd that it's not working for you. .crt & .pem is the correct pair of extensions

I notice you haven't said which router model you have - certificates generated by companies now should be using 2048-bit key size and SHA1 or SHA256. If the router is on older firmware, it might not be able to process certificates if they're larger than the router can interpret or are using a key size the router doesn't understand.

This website has some good examples of OpenSSL commands to verify the certificate and key details on your end:
https://www.sslshopper.com/ssl-certificate-tools.html
I don't recommend using online tools to check the private key & certificate combination, just use openSSL to do the same things locally.



Hi,
It's a 2862LAC with 3.8.9.2_BT Firmware.
OpenSSL requires Perl and we only have Windows Servers & PC's, without installing other modules I cannot use OpenSSL. The Server is SBS 2011 which is always a bit tricky when add third party apps.

I tried many different ways on the router, even replacing the CSR with the one used to Produce the Certificate on GoDaddy.

John.

Please Log in or Create an account to join the conversation.

More
22 Oct 2018 16:55 #8 by admin3
Replied by admin3 on topic Re: Certificate for SSL Import.
Good to know :)

The latest firmware should be fine, I import my LetsEncrypt SSL certificate on a Vigor 2860ac on 3.8.9.3_BT. That also requires manually combining the .pem & .crt files into a .pfx right now.

Try the binaries from here , I think that's what I used

Forum Administrator

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
28 Oct 2018 01:11 #9 by hornbyp
Replied by hornbyp on topic Re: Certificate for SSL Import.
https://zerossl.com returns Letsencrypt certificates as a domain-crt and a domain-key file, which the 2860 can import, with no further processing.

I didn't pursue use of Letsencrypt certificates for my Vigors, since they expire every three months and can't be automatically renewed (from the Vigor).

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
29 Nov 2018 11:34 #10 by hornbyp
Replied by hornbyp on topic Re: Certificate for SSL Import.

hornbyp wrote: I didn't pursue use of Letsencrypt certificates for my Vigors, since they expire every three months and can't be automatically renewed (from the Vigor).



Apparently, this will be possible once firmware 3.9.0 is released (at least for some models) ...

See: https://www.draytek.com/en/faq/faq-miscellaneous/miscellaneous.application/how-to-apply-lets-encrypt-certificate-on-vigor-router

Please Log in or Create an account to join the conversation.

  • sheltons
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
30 Nov 2018 10:48 #11 by sheltons
Replied by sheltons on topic Re: Certificate for SSL Import.

hornbyp wrote:

hornbyp wrote: I didn't pursue use of Letsencrypt certificates for my Vigors, since they expire every three months and can't be automatically renewed (from the Vigor).



Apparently, this will be possible once firmware 3.9.0 is released (at least for some models) ...

See: https://www.draytek.com/en/faq/faq-miscellaneous/miscellaneous.application/how-to-apply-lets-encrypt-certificate-on-vigor-router


Thanks for the update.
I have had to put this on the back burner for now until we get all the Xmas Sales out of the way.
John.

Please Log in or Create an account to join the conversation.

More
03 Jan 2019 11:11 #12 by gbrown100
Replied by gbrown100 on topic Re: Certificate for SSL Import.
I gave up with this and stopped using the SSL VPN (also because of an issue where the config file kept corrupting itself in the Smart VPN Client). I got naff all support from SEG who just kept pointing me back to the help documents which didn't work and telling me to run BETA's which didn't work. I have 45 2860's out there and actually stopped supplying them after the support experience. I'm assuming that the 2860 isn't going to get 3.9 firmware and I have no intention of replacing all with the 2862 so I moved over to UniFi after that. I suspect the 2862 and 3.9 combination will probably work much better since they mention Let's Encrypt support, it might even tempt me back with OpenVPN support!

Graham.

Please Log in or Create an account to join the conversation.