XII. Firewall/Security Features

How to generate custom self-signed router certificates

Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Show all

How to generate custom self-signed router certificates

DrayTek routers that support SSL VPN each have a self-signed certificate that is unique to the router and is used for identification purposes to secure HTTPS and SSL VPN access to reduce the risk of man in the middle and other HTTPS impersonation attacks.

The routers have a facility to create and sign their own personalised certificates for HTTPS and SSL VPN usage, which can increase security and makes it possible to self-sign certificates that have Common Name information (An attribute written in the certificate which can be read when the certificate is inspected) which matches the router's Host Name or IP Address, so that the certificate can be used to verify the identity of the router that a client is connecting to and create a trusted certificate chain between the router's Root CA and Local Certificate.

The Common Name of a certificate is compared with the IP address or Host Name of an HTTPS or SSL VPN server upon connection to determine whether the certificate is intended for use with that IP or Host Name, if they do not match, the client may show a warning or block the connection, depending on how it is configured.

This can be beneficial for SSL VPNs in the DrayTek Smart Client, which can then authenticate the SSL VPN server that is being connected to (required for iOS compatibility) and can be used with the "Enable Server Certificate Authentication" option in the client, which requires a trusted certificate chain on the client device using the router's Root CA.

This functionality can be used to sign certificates for the router, with up to 3 Local Certificates which can have different Common Name details.

It is not possible to sign certificates from other devices using the DrayOS Root CA function.
If the ability to sign certificates of other devices is required, the DrayTek Vigor 3900 can operate as a Root CA and sign certificates from other devices / servers.

To make a custom self-signed certificate on the router, the process involved is:

1. Check that the router's Time is correct, so that the Valid To and Valid From times are correct 
2. Create a Root CA so that the router can sign its own certificates
3. Create a Local Certificate
4. Sign the Local Certificate using the Root CA functionality
5. Select the Local Certificate for the router's SSL / HTTPS server

Create Root CA

  1. Ensure that the router's time settings is correct by going to the [System Maintenance] > [Time and Date] settings, set the router to Use Internet Time and click OK, then check whether the router has the correct time by using the Inquire Time button. This requires working internet access and DNS resolution for the router to be able to get time via Network Time Protocol.

  2. Once the router's time is correct, go to [Certificate Management] > [Trusted CA Certificate], and click "Create Root CA". 

  3. Specify the identifying information required for the Root CA Certificate, the example below shows the minimum that is allowed. The Common Name for the Root CA does not need to match a valid IP or Host Name and can be used to identify the certificate to the client, it could be a company name or other identifier.

    Set the Key Size to 2048 Bit and click Generate to create the certificate:

    The router will then pop-up this warning, which will complete within a few seconds typically but could take longer under some circumstances:

    Click OK to continue.

  4. Once the Root CA certificate has finished processing, it will show its status in the Trusted CA Certificate section as "OK".

    Note:A Vigor Router can only have one Root CA at the same time. To create a new Root CA, delete the old one first.

Sign a local certificate with Root CA

  1. Go to [Certificate Management] > [Local Certificate], and generate a certificate request by clicking the Generate button:

  2. Enter the details for the local certificate; if this will only be used to customise the certificate, the Common Name and Subject Alternative Name do not have to be a valid IP address or Host Name, but if they do not match the hostname or IP Address of the router then this will cause the Web Browser to flag up a (by-passable) warning with the certificate. By setting these details to a valid IP address or Host Name (including dynamic DNS hostnames) it will make it possible for client web browser to identify the router by matching these details upon connection.
    The minimum required details are Common Name, Subject Alternative Name and Country.

    In the example below the routers public IP Address is

    Set the Key Size to 2048 Bit and click Generate to create the certificate:

    The router will then pop-up this warning, which will complete within a few seconds typically but could take longer under some circumstances:

    Click OK to continue.

  3. There will be a new local certificate request on the list, with the status of "Requesting". Click "Sign" to sign the local certificate.

  4. Set the date of Validity, in this example set to be valid for two years, and click "Sign".

    When setting the "Not After" (Valid Until / End) date, this must be at least one day later than the "Not Before" (Valid From / Start) date. The hours and minutes of these settings are taken from the time that the certificate is signed.

  5. The local certificate will be signed by the Root CA created previously and its status will now display “OK”.

Replace the default HTTPS and SSL Certificate

  1. Go to [SSL VPN] > [General Setup] and select the new Local Certificate from the list as the Server Certificate. Click OK to apply that change.

  2. From the browser, accessing the router's HTTPS / SSL VPN login page now displays the selected certificate when checking the certificate information:

    Certificate in Browser

How do you rate this article?

1 1 1 1 1 1 1 1 1 1