Hi Everyone

I have Googled the heck out of this and just can't seem to get a definitive answer.

Basically the aim is to enable secure access to the router configuration page i.e. 192.168.1.1. There will be no remote management enabled, so this is basically for local access only.

As I understand it I will need to create a Self Signed Certificate (local) appose to a Certificate of Authority (Domain based access).
I have yet to find a concise instruction of how to do this. My plan is to implement it on my own device first Vigor 2830 and then to the other DrayTek products I manage.

Any help would be gratefully appreciated.

Does this help?

https://www.draytek.com/en/faq/faq-management/management.system-maintenance/how-to-generate-unique-self-signed-certificate-and-replace-the-default-one/

Thanks for the reply.

On my Vigor2830 "Create Route CA" option is not there. But on the Local Certificate page if you try to generate a new cert it will partially complete but with the status of Requesting.

I have left it over 24 hours but there is no progress from there. I assume if like other devices the next page when complete will allow you to download the certificate to then import into cert manager.

I may try resetting the router to see if this corrects the issues as every document/guide like the one one in the link seems to refer to the "Create Route CA" option.

On the 2830, you have to "view" the Request you've made, cut the 'PEM Format content' from the screen, paste it into a file and then submit that file manually to your local, tame Certificate Authority
When you get the certificate from the CA (in a file), the 'Import' function marries it up with the 'request' and the status changes to "OK".

Nothing will happen automatically; it will stay in the 'Requesting' state for ever, if there is no manual intervention.

However, IIRC, you don't need to actually create your own certificate to use SSL/HTTPS with the 2830 - an (invisible!) default one is present...

Thanks for the extra information.
I was following this guide https://www.draytek.com/en/faq/faq-management/management.system-maintenance/how-to-generate-unique-self-signed-certificate-and-replace-the-default-one/ (Section: Sign a local certificate s) As mentioned before the guide says after you have generated the cert click the sign button, but as you say there is another step to get that to appear i'm just not sure what.. What I See https://imgur.com/d6TtkD4

Whats confusing is after I have generated the cert and copied the pem format content to a txt file but am unsure what to do from there. I know the complexity increases if you introduce something like OpenSSL or LetsEncrypt (FQDN uses) but with me only wishing to manage this over the local network and not remotely I am not sure what to do to get the txt file with PEM content to a .crt file to import into Windows Cert Manager.

Again thanks for the information I feel there is just that one step that I am missing.

dh7 wrote: I was following this guide https://www.draytek.com/en/faq/faq-management/management.system-maintenance/how-to-generate-unique-self-signed-certificate-and-replace-the-default-one/ (Section: Sign a local certificate s)

Sadly, that guide isn't applicable to the 2830 - the 2830 isn't capable of acting as a Certificate Authority

He also wrote: As mentioned before the guide says after you have generated the cert click the sign button, but as you say there is another step to get that to appear i'm just not sure what.. What I See https://imgur.com/d6TtkD4

The 2830 can't sign it itself - because it's not a CA.

Then he wrote: Whats confusing is after I have generated the cert and copied the pem format content to a txt file but am unsure what to do from there. I know the complexity increases if you introduce something like OpenSSL or LetsEncrypt (FQDN uses) but with me only wishing to manage this over the local network and not remotely I am not sure what to do to get the txt file with PEM content to a .crt file to import into Windows Cert Manager.
I feel there is just that one step that I am missing.

OK - don't confuse me with someone with any great expertise on this subject ... my primary talent is the application of Yorkshire Grit and Determination :? ... I think I just tried every conceivable permutation, until I battered the Universe into submission!

When you hit the "Generate" button, you have generated a "signing request" ... not a certifcate. What - specifically - you do with that request - is down to the requirements of the actual Certificate Authority you decide to use. (There is no inherent requirement for the 'request' to be generated on the 2830 - it's just a convenience, that you can)

IMHO, Letsencrypt would not be a good choice, because the certificates (purposefully) expire every few months. The 2830 has no mechanism to handle this automatically, so you'd have to keep going through the same manual process, over and over. So, at the very least, you need a CA where you can choose a long validity period.
OpenSSL on Windows doesn't look promising: the only prebuilt binaries I could find, were ancient and I didn't fancy going down the rabbit hole of trying to compile the current source. There is the possibility of getting the up-to-date linux ones, to run under WSL, or Hyper-V, or Docker, but I didn't explore that either.

Assuming you have a Windows Certificate Authority available to you, it's still quite a learning curve, turning that 'request' into a valid certificate. (Before doing anything, the Windows CA certificate needs to be loaded into the 2830 (as "Trusted CA-1")

(annoyingly over 3000 character limit!)
//cont'd//