Change SSL cert for HTTPS certificates

Post new topic   Reply to topic    DD-WRT Forum Index -> Contributions Upload
Goto page 1, 2, 3, 4  Next
Author Message
shinji257
DD-WRT User


Joined: 02 May 2007
Posts: 222

PostPosted: Sat Feb 23, 2008 2:09    Post subject: Change SSL cert for HTTPS certificates Reply with quote
Ok. This is only tested on Eko's 8091 build but it should work on others. This script must be inserted into the firmware either by compiling your own or using the firmware modification kit. The latter is actually the safer method because you can really only change the scripts and the binaries.

The script allows you to provide your own certificate by placing both the encrypted and non-encrypted private keys as well as the signed certificate in /jffs/ssl. You must be able to use jffs for this to be of any use and the firmware must have support for https. In most cases this means only the standard and the standard nokaid versions will be able to use this. Eko's mini build has https too though so it can also have this item.

If you are unable to use jffs then you can replace privkey.pem, key.pem, and cert.pem in /etc with your own and repackage the firmware. I guess you have to do it with the attached script but here are the advantages/dis-advantages.

Using a script to copy out of /jffs:
Advantage
* Don't need to rebuild the firmware each time a new cert is generated (especially if you keep it around for a long time).

Disadvantage
* If you upgrade your firmware then you will need to repackage it and put the script in there
* You may need to upload the certificate files again after upgrading if it thinks that the jffs is corrupted so make sure you back them up before upgrading! Actually you should have a backup anyways.

Replacing the firmware certificate with your own:
Advantage
* You don't need jffs support or capability to use your own certificate

Disadvantage
* If you get a new certificate for any reason you will need to repackage a new firmware and upload it to the router
* You still have to repackage the new firmware if you upgrade with the new certificate since it isn't part of the stock firmware.

Firmware Integration Installation (locations are rooted to the base of the firmware folder):
1. Drop the attached user-cert.startup file into /etc/config and make it executable

2. Create folder ssl in /etc and move cert.pem, privkey.pem, and key.pem into /etc/ssl.

3. Create the following symbolic links.
/etc/privkey.pem -> /tmp/etc/privkey.pem
/etc/key.pem -> /tmp/etc/key.pem
/etc/cert.pem -> /tmp/etc/cert.pem

If you want me to do this for you then just ask. I can also provide a debug version of the script if you are having trouble making it work.

P.S. - It would be very useful if this was just placed in future firmware versions and a webgui was added. *hint hint wink wink*
Sponsor
Hamy
DD-WRT Novice


Joined: 25 Apr 2010
Posts: 8

PostPosted: Wed Feb 16, 2011 15:36    Post subject: Whats the use of privkey.pem ? Reply with quote
Hi. i know this thread is a bit old but i really needed this and since seems those pem files still exist even in latest rls, I think its safe to say your method will still work. I'm planing to use the firmware-mod-kit and replace the pem files directly. but what i don't understand is the use of privkey.pem
I mean it already has an unencrypted version of the private key, why would it also want an encrypted one? and also, with what password should I encrypt that? it just somehow doesnt make sense.

Thank you for reading that. and for probably answering me :)

Edit: After dozen of times trying, i finally made it work the way i want (1024 RSA key with signed cert from my company's CA. see the attachment)
the best way to know how to generate a compatible certificate, is to see how they've been generated in the first place:
http://svn.dd-wrt.com:8000/browser/src/router/httpd/gencert.sh

seems privkey.pem is just a temp file before it gets decrypted so it should be ok to be ignored. but just to be safe, i also included it with other 2 pem files.
so, yeah. thats pretty cool. also big thanks to shinji257 for putting me in the right direction.
Another note that is worth mentioning is that, if you are using the out-of-box firmwares from dd-wrt site, and planning to use https as a security feature. you HAVE to change the certificate/private key since they are in the firmware and visible to anyone with a little knowledge.
can't flash
DD-WRT User


Joined: 14 Jan 2010
Posts: 73
Location: Flint, Michigan

PostPosted: Tue Mar 08, 2011 1:01    Post subject: Modifying the Firmware Reply with quote
A few questions:

Why is it necessary to use the firmware modification kit to change the certificates? Could you not just replace the files?

If you do have to modify the firmware, how does one extract the firmware image? I have follow the steps in http://www.dd-wrt.com/wiki/index.php/Development but cannot understand how to properly extract the firmware image. Where is the image file located?
Hamy
DD-WRT Novice


Joined: 25 Apr 2010
Posts: 8

PostPosted: Tue Mar 08, 2011 7:20    Post subject: Re: Modifying the Firmware Reply with quote
can't flash wrote:
Why is it necessary to use the firmware modification kit to change the certificates? Could you not just replace the files?

It's not. as shinji257 mentioned, you can use a script to replace the files on every reboot. but i just didn't like the idea. i wanted to integrate it. so I had two choices, either build the firmware from the scratch or unpack it with firmware modification kit, replace the necessary files and repack it.
can't flash wrote:
If you do have to modify the firmware, how does one extract the firmware image? I have follow the steps in http://www.dd-wrt.com/wiki/index.php/Development but cannot understand how to properly extract the firmware image. Where is the image file located?


well actually its pretty simple. i literally know nothing about linux os but even i could pull it off. but tbh it was a while ago. i cant remember the exact steps i took. i was using ubuntu flavor so i guess i used something like this in terminal:

Code:
sudo apt-get install gcc g++ binutils patch bzip2 flex bison make gettext unzip  zlib1g-dev libc6 subversion


then i downloaded the latest version from: http://code.google.com/p/firmware-mod-kit/
Unpacked it and the rest was pretty the same as mentioned in the wiki.
can't flash
DD-WRT User


Joined: 14 Jan 2010
Posts: 73
Location: Flint, Michigan

PostPosted: Tue Mar 08, 2011 17:15    Post subject: Modifying the Firmware Reply with quote
Hamy,

Thanks for the reply. I managed to get a copy of the firmware opened in the kit and then I replaced the three certificate files in /etc. So after remaking the firmware, you just flashed one of the generic versions to your router?

Thanks again.
Hamy
DD-WRT Novice


Joined: 25 Apr 2010
Posts: 8

PostPosted: Wed Mar 09, 2011 11:08    Post subject: Reply with quote
Thats the idea. just make sure that you did unpack/repack the right firmware for your router or you might brick it.
can't flash
DD-WRT User


Joined: 14 Jan 2010
Posts: 73
Location: Flint, Michigan

PostPosted: Wed Mar 09, 2011 16:19    Post subject: SSL Certs Reply with quote
Hamy,

The mod kit spits out a bunch of generic .bin's. Some look like they are designed for specific routers. I am assuming I want the general generic; but, how confident can I be that if I unpacked the correct firmware that the repack is the same thing?
Hamy
DD-WRT Novice


Joined: 25 Apr 2010
Posts: 8

PostPosted: Wed Mar 09, 2011 16:44    Post subject: Reply with quote
that custom_image-generic.bin was supposed to link to custom_image.trx . which seems to be broken.
if your router uses normal generic firmwares (like dd-wrt.v24_std_generic.bin or dd-wrt.v24_nokaid_generic.bin ,...), custom_image.trx is the one to go. you could simply rename it to custom_image.bin

also, keep in mind that as mentioned here:http://code.google.com/p/firmware-mod-kit/ : "NO GUARANTEE IS PROVIDED. WITH EVERY REBUILT IMAGE YOU STAND THE CHANCE OF BRICKING YOUR DEVICE (EITHER A SOFT OR HARD BRICK). DO NOT USE THIS TOOL IF YOU CAN NOT RECOVER FROM SUCH A BRICK. BY USING THIS TOOL YOU ASSUME LIABILITY OF ALL DAMAGES, TANGIBLE AND INTANGIBLE, RESULTING FROM THE USE OR MIS-USE OF THIS SOFTWARE."

It did work for me on Asus WL-520GU with dd-wrt.v24_nokaid_generic.bin build 14929 . hopefully, it'll work for you too.
can't flash
DD-WRT User


Joined: 14 Jan 2010
Posts: 73
Location: Flint, Michigan

PostPosted: Wed Mar 09, 2011 23:20    Post subject: dd-wrt SSL Certs Reply with quote
Hamy,

Yeah...that's the problem. I have a Linksys E3000. The peacock thread specifically warns against using generic .bin’s. The best option seems to be trying to incorporate a shell script and jffs. Do you have any experience with that approach?
Hamy
DD-WRT Novice


Joined: 25 Apr 2010
Posts: 8

PostPosted: Thu Mar 10, 2011 6:04    Post subject: Re: dd-wrt SSL Certs Reply with quote
can't flash wrote:
Hamy,

Yeah...that's the problem. I have a Linksys E3000. The peacock thread specifically warns against using generic .bin’s. The best option seems to be trying to incorporate a shell script and jffs. Do you have any experience with that approach?


Thats the safest way for sure. and no, i do not but it should be rather simple. give it a try. i dont think you can brick your router with that. in worst case, you just need to do a hard reset to recover.
dduck669
DD-WRT Novice


Joined: 13 Apr 2011
Posts: 1

PostPosted: Wed Apr 13, 2011 8:08    Post subject: Reply with quote
I tried to use the script with the last ddwrt release (I don't want repack/modify the firmware), but I'm not able to use my own certs. The script copy the files in /tmp/etc/, but the httpd server use the default certs and not mine.

Can someone help me? Thank you....
lewisje
DD-WRT Novice


Joined: 31 Aug 2011
Posts: 5

PostPosted: Wed Aug 31, 2011 10:22    Post subject: Reply with quote
dduck669 wrote:
I tried to use the script with the last ddwrt release (I don't want repack/modify the firmware), but I'm not able to use my own certs. The script copy the files in /tmp/etc/, but the httpd server use the default certs and not mine.

Can someone help me? Thank you....
I also just tried this, to no avail; I'm using this method to block ads via DD-WRT, and Opera complains about the low encryption level (128-bit ARC4 with RSA/SHA) used in the built-in cert whenever a blocked ad on an HTTPS site is redirected to pixelserv: http://www.howtogeek.com/51477/how-to-remove-advertisements-with-pixelserv-on-dd-wrt/

It was so annoying that I made a cert in OpenSSL with a 4096-bit RSA key encrypted with AES-256 and put it (along with the key) in /jffs/ssl/ and had a script copy it over to /tmp/etc/, but the old NEW-MEDIA.NET cert is still being picked up.
maddes.b
DD-WRT Novice


Joined: 27 Dec 2007
Posts: 36

PostPosted: Mon Oct 03, 2011 3:30    Post subject: Still works with r17201 and r23720 Reply with quote
I can confirm that this still works with r17201 and also with r23720.
I use a script to apply my certificate and did not change a firmware image.

Some additional information:
1. The first time when you copy and apply the certificate and keys manually, then make sure that /etc/cert.pem, /etc/key.pem and /etc/privkey.pem really point to your files (check their content with cat).

Also do not forget to stop and start the HTTP server, so that the new files are actually used:
Code:
stopservice httpd
startservice httpd


These could be reasons for lewisje's problem above.

2. Later when using a startup script, then the changes are normally executed before the HTTP server is started.

For example here's my startup script /<mount point>/etc/config/binds_on_mount.startup (mount point may vary, e.g. /jffs; script name may vary except for the extension .startup):
Code:
#!/bin/sh

# get the absolute directory of the executable
SELF_PATH=$(cd -P "$(dirname "$0")" && pwd -P)

# extract the mount path
MOUNT_PATH=`echo ${SELF_PATH} | cut -d / -f1-2`

# do folder binds
# UPDATE: this block was removed as it is not related to HTTPS certificate
#

# HTTPS certificates
HTTPD_PIDS=`pidof httpd`
if [ -n "${HTTPD_PIDS}" ]; then
   HTTPD_PIDS=`nvram get https_enable`
   if [ "${HTTPD_PIDS:=0}" -gt 0 ]; then
      echo Stopping HTTPD
      stopservice httpd
   else
      HTTPD_PIDS=
   fi
fi
#
echo Binding HTTPS certifcate
grep -q -e "/etc/cert.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/ssl/certs/router@maddes.home.10.0.0.254.server.crt /etc/cert.pem
grep -q -e "/etc/key.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/ssl/private/router@maddes.home.key /etc/key.pem
grep -q -e "/etc/privkey.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/ssl/private/router@maddes.home.key.protected.dd-wrt /etc/privkey.pem
#
if [ -n "${HTTPD_PIDS}" ]; then
   echo Starting HTTPD
   startservice httpd
fi

Explanation:
  • My scripts for download (use browser's "Save as..." to keep Unix/Linux end-of-lines (EoL))
  • The last block does the binding of the new certificate and keys. The grep prevents that these files are binded multiple times and/or overwrite an existing bind.
    All other commands of the script are not related to this topic.
    Update: Adopted HTTPD service check from "DerLexus" below. There can be multiple pids for httpd which will not work with his "-gt" condition.
  • The first two commands just determine where we are currently mounted at (/jffs, /mnt, etc.).
  • If configuring the router from Windows, then always make sure that all your scripts and text file have Unix/Linux line endinges (EoL) = linefeed (LF), and not Dos/Windows EoL = LF + CR.


Last edited by maddes.b on Thu Mar 27, 2014 11:46; edited 16 times in total
DerLexus
DD-WRT Novice


Joined: 07 Jul 2006
Posts: 8

PostPosted: Wed Oct 19, 2011 13:16    Post subject: Reply with quote
I've played a little bit too, here is my solution:

First, its important to that your certificate is created using sha1. I used 2048 bits and the key.pem must be a rsa key. You can check this by looking at the key.pem file, it must have a RSA on the top line, if not:

Code:

mv key.pem origkey.pem
openssl rsa -in origkey.pem -out key.pem


I modified the script from maddes.b to restart the httpd service, without the keys will be rebind'ed but the server was startet before, maybe its because i use an usb memory stick for the script and usb is to slow.

Code:


#!/bin/sh


if [ `nvram get https_enable` -gt 0 ] ; then                                     

        # get the absolute directory of the executable
        SELF_PATH=$(cd -P "$(dirname "$0")" && pwd -P)

        # extract the mount path
        MOUNT_PATH=`echo ${SELF_PATH} | cut -d / -f1-2`

        # do binds
        for BIND_PATH in '/jffs' ; do
           echo Binding ${BIND_PATH}
           if [ "${MOUNT_PATH}" != "${BIND_PATH}" ]; then
                grep -q -e "${BIND_PATH}" /proc/mounts || mount -o bind ${MOUNT_PATH}${BIND_PATH} ${BIND_PATH}
           fi
        done

        HTTPS_RESET=0

        if [ `pidof httpd` -gt 0 ]; then
                stopservice httpd
                HTTPS_RESET=1
        fi

        echo Binding HTTPS certifcate
        grep -q -e "/etc/cert.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/cert.pem /etc/cert.pem
        grep -q -e "/etc/key.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/key.pem /etc/key.pem
        grep -q -e "/etc/privkey.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/privkey.pem /etc/privkey.pem

        if [ "$HTTPS_RESET" = "1" ]; then
                startservice httpd
                unset HTTPS_RESET
        fi
fi
Woefdram
DD-WRT Novice


Joined: 14 Mar 2012
Posts: 2

PostPosted: Wed Mar 14, 2012 10:16    Post subject: No certificates in firmware image? Reply with quote
I wanted to change the SSL certificates by means of modifying the firmware image for my Linksys WRT320N. Strangely enough the image I downloaded doesn't seem to contain any certificate..? Surprised

I downloaded the initial flash image, as mentioned on http://www.dd-wrt.com/wiki/index.php/Linksys_WRT320N_v1.0

I extracted it with the firmware-mod-kit, as explained on http://www.dd-wrt.com/wiki/index.php/Development

Then, I figured, it would be a simple matter of replacing 3 .pem files in /rootfs/etc, repacking the image and flash it onto my router. But no certificates were to be found in the extracted image. A find in the entire rootfs-image showed no .pem files anywhere.

What did I miss? I used "extract-ng.sh" instead of "extract_firmware.sh" because the latter bailed out with an error about a missing Makefile. Reading the forum, I understood that "extract-ng.sh" was the successor of "extract_firmware.sh" and tried it. Seemed to work just fine.

Or do I need a different image?

I'm using Debian Squeeze amd64.

Any suggestions? And no, I'm not going to try the jffs way, just doesn't feel right.

Cheers!

Woefdram
Goto page 1, 2, 3, 4  Next Display posts from previous:    Page 1 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Contributions Upload All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum