XII. Firewall/Security Features

How to apply a trusted certificate for HTTPS Router Management on the Vigor 2960 and Vigor 3900

Vigor 2960
Vigor 3900
Remote Management
Show all

SSL certificates are used by web browsers and other software to determine whether a site can be trusted for secured HTTPS communication. When accessing a HTTPS website, the client (typically the web browser) will examine the credentials of the site's certificate and check the validity; If there are any concerns regarding the details then a web browser might prompt the user for action before proceeding or an automated system might simply close the connection.

To act as a starting point, a site's certificate is normally signed by a third party certificate authority which acts as the 'trusted third party' to confirm that the certificate is authentic and not forged. Each browser has a list of Trusted Certificate Authorities which it trusts to sign certificates and it checks to see if the certificate has been signed by one of these trusted third party that it recognises.

If the details are valid and the certificate authority used to sign the site's certificate is recognised by the browser, the browser will allow the HTTPS site to show and will show that the certificate is valid. If the certificate authority is not recognised or if the details such as the hostname do not match with the site being accessed, the browser will show a warning message and it will not be possible to proceed to the site without making an exception.

To create a certificate that is recognised by others it needs to be signed by a certificate authority. A certificate authority will only sign a certificate if it recognises that the requester has the appropriate authority / ownership for the domain that the certificate is for. In practice this means that the ability to create a certificate for router.example.com requires the requester to have been granted authority to request certificates for subdomains of example.com. This means that it's typically not possible to create certificates for DDNS hostnames without contacting the owner of the domain (eg the DDNS provider, who may offer this as a service) or having your own domain.

Firmware Requirement:

Installing a trusted certificate on the router is supported with firmware versions 1.2.0 and onwards. It is recommended to use the latest current firmware, where possible.

This example will use the subdomain "ssldemo.mailroute44.com" as the host name for the router and a free Certificate Authority called CA Cert to sign the router's generated certificate. This is not a Certificate Authority that will be recognised by web browsers by default so it's necessary to install the Root Certificates in the browser for the certificate to be recognised as valid.

The principles explained would be the similar with other Certificate Authorities but the steps for installing the Root Certificate would not be required if the Certificate Authority's certificate is already recognised by the web browser as would be for the larger CA's such as Comodo, Symantec, Go Daddy, GlobalSign, DigiCert, StartCom.

In a scenario where the router's interface would be customer facing, such as when using User Management with HTTPS, it would be helpful to have the certificate signed by a widely recognised authority so that end user's browsers would be able to recognise the validity of the certificate without any additional work needed. Check with the Certificate Authority being considered directly to see if they are included in web browsers.

When accessing a router using HTTPS, the router will use its self-signed certificate, which is not valid as it does not have valid identity details, nor does it have a trusted certificate authority. To resolve this, it's necessary to generate a certificate on the router with details that match the way in which it will be accessed and have it signed by a trusted certificate authority. The signed certificate is then uploaded to the router and selected for use with the router's SSL VPN / HTTPS Management interface.

Please note that the time and timezone of the router must both be correct before generating a certificate. These can be configured under [System Maintenance] > [Time and Date] by enabling NTP and settings the router's Time Zone and Daylight Saving times for the correct location:

Make sure that the router's time is correct by checking the router's Online Status page before proceeding.

To generate a certificate on the router, go to [Certificate Management] > [Local Certificate] and on there, click Generate:

After clicking Generate, there will be options shown for configuring the certificate, this example will use the Domain Name as the Subject Alternative Name and the Common Name (CN) is also set to the domain name used for the router.

Please note that all fields must be filled in to create a local certificate.

The Key Size has been increased to 2048 Bit to improve security.

Click the Apply button to generate a certificate.

Go to your Certificate Authority's page and create a new Server Certificate (naming may vary by provider):

In the router's web interface, go to [Certificate Management] > [Local Certificate] the state of the newly generated local certificate will show as Requesting until it's signed by the certificate authority:

Click on the certificate Name to highlight it, then click Download to download the certificate file:

The browser will then download the certificate file in PEM format with a .pem extension:

Save the file and open it in a text editor such as Notepad:

Select the text in that certificate, to do that, right-click and then click Select All, once the text is selected, right-click again and click Copy to copy the certificate text to the computer's clipboard.

The Certificate Authority's page should require text in the same format so paste that in similarly to how it's shown below, add any other details as required by the CA then click Submit to continue the process:

The Certificate Authority may require a secondary confirmation which may show details from the certificate to confirm that the details are correct, click Submit to continue:

The Certificate Authority should then generate text similar to what's shown, select the text from the -----BEGIN CERTIFICATE----- line until the -----END CERTIFICATE----- line and paste that into a text editor such as Notepad:

In the text editor, select Save As... to save the file, this should be saved with a .cer extension and must have the same name as the .pem file, which is case sensitive. For example, this certificate file will be saved as Vigor3900Certificate.cer because the certificate from the router was Vigor3900Certificate.pem

If the filename does not match, the router will not recognise the signed certificate.

It should be possible to open the .cer file in Windows to check the details of the certificate.

This can then be loaded on the router by going to [Certificate Management] > [Local Certificate], on there, click the Upload button:

That will pop-up these options. Select Local Certificate and click Browse and select the certificate file that was saved:

Click Upload to upload the certificate to the router.

That will then upload through the router's web interface and the Local Certificate list will show the certificate Status has changed from Requesting to OK. Meaning that the certificate can now be used.

To use the certificate on the router instead of the self-signed certificate, go to [System Maintenance] > [Access Control] and set the Server Certificate to the one uploaded to the router, then click Apply to apply the change:

When accessing the router in a web browser, it should now show as a valid certificate. Please note that for this to work with the CA Cert authority used in this example, the browser must have CA Cert added as a Trusted Certificate Authority following the details on their website.

When checking the certificate, it should show the domain details used to identify the site in the Common Name (CN) field:

How do you rate this article?

1 1 1 1 1 1 1 1 1 1