Change SSL cert for HTTPS certificates

Post new topic   Reply to topic    DD-WRT Forum Index -> Contributions Upload
Goto page Previous  1, 2, 3, 4  Next
Author Message
Woefdram
DD-WRT Novice


Joined: 14 Mar 2012
Posts: 2

PostPosted: Tue Mar 20, 2012 21:20    Post subject: Reply with quote
Tried it on Wheezy too, but then it won't even correctly extract the firmware. Only complains that it failed, nothing more...

Anyone still reading this thread? Please, one or two hints... Wink

Cheers,

Woefdram
Sponsor
tjcravey
DD-WRT Novice


Joined: 07 Jun 2012
Posts: 1

PostPosted: Thu Jun 07, 2012 11:50    Post subject: Reply with quote
I managed to get this to work on the VPN firmware with only a startup script. No need for JFFS or anything. Just put this in the Commands box on the Administration/Commands tab and click Save Startup. Replace the Xs with your actual keys/certs, of course.

Code:

mkdir /tmp/ssl

echo "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E510E0F0B0685BF8

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----" > /tmp/ssl/privkey.pem

echo "-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----" > /tmp/ssl/key.pem

echo "-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----" > /tmp/ssl/cert.pem

chmod 0600 /tmp/ssl/privkey.pem
chmod 0600 /tmp/ssl/key.pem

mount -o bind /tmp/ssl/cert.pem /etc/cert.pem
mount -o bind /tmp/ssl/privkey.pem /etc/privkey.pem
mount -o bind /tmp/ssl/key.pem /etc/key.pem

stopservice httpd
startservice httpd
skipper.dk
DD-WRT Novice


Joined: 16 Jul 2007
Posts: 13
Location: Denmark Copenhagen

PostPosted: Wed Jul 18, 2012 12:04    Post subject: Reply with quote
very interesting tjcravey

I want to use a free (1 year) ssl cert from https://www.Startssl.com

the cert i made from this tutorial http://forum.synology.com/enu/viewtopic.php?f=36&t=21704&hilit=startssl&sid=e53d7e2c2c54da4a239620c83f8e3f36

from that process i got a

certificate signing request *.csr

private key (with or with out password) *.key

startssl signed sertificate file ssl.csr

the enc is

the key is a sha1RSA (DHE_RSA)

pub key is RSA (2048 bit)

what are the difference between the key.pem and the privkey.pem ?

what should i change the following lines too ?
tjcravey wrote:
------------snip---------
Code:



echo "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E510E0F0B0685BF8




------------snip---------


greetings //skipper.dk

_________________
1 Asus RT-N16 with DD-WRT v24-sp2 (08/12/10) mega - build 14929
1 Asus WL-500g Premium with DD-WRT v24-sp2 (08/12/10) mega - build 14929

1 Synology ds101g+ with ds109 firmware and optware running..
1 Synology DS101 bricked
1 Synology DS409 optware running..
maddes.b
DD-WRT Novice


Joined: 27 Dec 2007
Posts: 36

PostPosted: Wed Jul 18, 2012 17:03    Post subject: NVRAM vs. /jffs mounts Reply with quote
@tjcravey:
NVRAM is very limited, so when you extend your configuration further, then you will hit its limit sooner or later (just some KiB, depending on the hardware).
When you use a stronger key with more bits you will enter an even longer string, again getting closer to the NVRAM limit.
Update: If you overfill the NVRAM of your router it may get "semi-bricked". Then you have to try to reset your configuration somehow.

Therefore most people use /jffs with
either A) the rest of the flash (at least several KiB, mostly 1 MiB or more, depending on the hardware)
or B) a cheap USB stick with several GiB

People heavily working with their config prefer USB sticks to avoid wear out of the router flash (some thousands writes, as always depending on your hardware).
Additionally just unplug the USB stick and you are close to DD-Wrt initial state.

Using NVRAM is still a valid option (as is modifying the firmware image as Woefdram wants to).

Just for your information
Maddes


Last edited by maddes.b on Tue Feb 24, 2015 17:23; edited 5 times in total
maddes.b
DD-WRT Novice


Joined: 27 Dec 2007
Posts: 36

PostPosted: Wed Jul 18, 2012 17:11    Post subject: Reply with quote
skipper.dk wrote:
what are the difference between the key.pem and the privkey.pem ?


Did you already compare them? Either manually or with a tool (like diff)?
Did you use OpenSSL to look into the keys? (openssl rsa -in <keyfile> -noout -text)
skipper.dk
DD-WRT Novice


Joined: 16 Jul 2007
Posts: 13
Location: Denmark Copenhagen

PostPosted: Wed Jul 18, 2012 20:13    Post subject: Reply with quote
maddes.b wrote:
skipper.dk wrote:
what are the difference between the key.pem and the privkey.pem ?


Did you already compare them? Either manually or with a tool (like diff)?
Did you use OpenSSL to look into the keys? (openssl rsa -in <keyfile> -noout -text)


sorry if i was unclear i was talking of the 2 types in the guide key.pem and privkey.pem


tjcravey wrote:
Code:
mkdir /tmp/ssl

echo "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E510E0F0B0685BF8

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----" > /tmp/ssl/privkey.pem

echo "-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----" > /tmp/ssl/key.pem

_________________
1 Asus RT-N16 with DD-WRT v24-sp2 (08/12/10) mega - build 14929
1 Asus WL-500g Premium with DD-WRT v24-sp2 (08/12/10) mega - build 14929

1 Synology ds101g+ with ds109 firmware and optware running..
1 Synology DS101 bricked
1 Synology DS409 optware running..
maddes.b
DD-WRT Novice


Joined: 27 Dec 2007
Posts: 36

PostPosted: Wed Jul 18, 2012 20:57    Post subject: Reply with quote
skipper.dk wrote:
maddes.b wrote:
skipper.dk wrote:
what are the difference between the key.pem and the privkey.pem ?


Did you already compare them? Either manually or with a tool (like diff)?
Did you use OpenSSL to look into the keys? (openssl rsa -in <keyfile> -noout -text)


sorry if i was unclear i was talking of the 2 types in the guide key.pem and privkey.pem

In DD-Wrt it is the same key: privkey.pem is encrypted (password protected) and key.pem is not.
Just look at src/router/httpd/gencert.sh.
Note that privkey.pem and cert.csr are meant to be temporary but are not deleted in the current versions (see last line of script).
skipper.dk
DD-WRT Novice


Joined: 16 Jul 2007
Posts: 13
Location: Denmark Copenhagen

PostPosted: Wed Jul 18, 2012 21:52    Post subject: Reply with quote
maddes.b wrote:

In DD-Wrt it is the same key: privkey.pem is encrypted (password protected) and key.pem is not.
Just look at src/router/httpd/gencert.sh.
Note that privkey.pem and cert.csr are meant to be temporary but are not deleted in the current versions (see last line of script).


ok thx i got both Wink

_________________
1 Asus RT-N16 with DD-WRT v24-sp2 (08/12/10) mega - build 14929
1 Asus WL-500g Premium with DD-WRT v24-sp2 (08/12/10) mega - build 14929

1 Synology ds101g+ with ds109 firmware and optware running..
1 Synology DS101 bricked
1 Synology DS409 optware running..
brantdk
DD-WRT Novice


Joined: 04 Oct 2006
Posts: 11

PostPosted: Thu Aug 16, 2012 14:58    Post subject: Reply with quote
tjcravey wrote:
I managed to get this to work on the VPN firmware with only a startup script. No need for JFFS or anything. Just put this in the Commands box on the Administration/Commands tab and click Save Startup. Replace the Xs with your actual keys/certs, of course.

Code:

mkdir /tmp/ssl

echo "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E510E0F0B0685BF8

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----" > /tmp/ssl/privkey.pem

echo "-----BEGIN RSA PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----" > /tmp/ssl/key.pem

echo "-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----" > /tmp/ssl/cert.pem

chmod 0600 /tmp/ssl/privkey.pem
chmod 0600 /tmp/ssl/key.pem

mount -o bind /tmp/ssl/cert.pem /etc/cert.pem
mount -o bind /tmp/ssl/privkey.pem /etc/privkey.pem
mount -o bind /tmp/ssl/key.pem /etc/key.pem

stopservice httpd
startservice httpd


WOW, this work for me!!! I use a StartSSL cert and followed your insturctions, and rebooted the router.

Thanks for the tip and by the way, they are not in pem format. Just copy the keys over like you posted in your guide
brantdk
DD-WRT Novice


Joined: 04 Oct 2006
Posts: 11

PostPosted: Mon Aug 20, 2012 7:10    Post subject: Reply with quote
OK...ran into a problem...This method works fra Lan to wan but it doesnt wopk when I am outside the network. This means from internet to Wan..
maddes.b
DD-WRT Novice


Joined: 27 Dec 2007
Posts: 36

PostPosted: Mon Aug 20, 2012 16:44    Post subject: Reply with quote
@brantdk:
According to your previous posts the SSL certificate replacement worked.
Not being able to connect from the Internet is offtopic, please create a separate thread for this issue.
I recommend to search the forum and wiki for something like "accessing DD-Wrt from Internet via HTTPS" and I think you will find some answers about firewall/iptables.
If still in doubt provide some more information in the new thread.
You can edit your previous post and add a link to the new thread.
Additionally keep in mind that you may have to use a multi-domain certificate as you connect via different DNS names (e.g. brantdk.dyndns.org, router.lan, 192.168.1.1, etc.).

Good luck
Maddes
thetrain
DD-WRT Novice


Joined: 13 Nov 2006
Posts: 6

PostPosted: Tue Oct 23, 2012 0:17    Post subject: Reply with quote
Worked perfectly for me (tjcravey's startup script method)
and solves the problem with Microsoft's new patch that restricts usage of keys less than 1024 bits.

For some reason, BrainSlayer keeps the built-in key to only 512 bits?.. but I digress.
hceuterpe
DD-WRT Novice


Joined: 03 May 2011
Posts: 18

PostPosted: Sat Apr 27, 2013 22:37    Post subject: Reply with quote
You don't need to create and echo the privkey.pem file
echo "-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,E510E0F0B0685BF8

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END RSA PRIVATE KEY-----" > /tmp/ssl/privkey.pem


Nor do you need these:
chmod 0600 /tmp/ssl/privkey.pem
mount -o bind /tmp/ssl/privkey.pem /etc/privkey.pem

HTTP doesn't ever reference the privkey.pem file, just the RSA private key file (key.pem). I just tried it and it works fine with just key.pem and cert.pem
maddes.b
DD-WRT Novice


Joined: 27 Dec 2007
Posts: 36

PostPosted: Sun Apr 28, 2013 17:29    Post subject: Reply with quote
Correct, you don't need privkey.pem and cert.csr as already written above.
sconstantine
DD-WRT Novice


Joined: 01 Feb 2012
Posts: 13

PostPosted: Fri Feb 28, 2014 6:13    Post subject: Reply with quote
I have used this fantastic customization for the last few years (I chose the jffs/startup method), however just replaced my router and with a newer model (& a newer kernel) I cannot get this to work anymore. Anyone have any help, explanation, or even if this is a known limitation (without a recompile)?

I'm running DD-WRT v24-sp2, Kernel Version
Linux 3.10.25.

In /jffs/etc/config/binds_on_mount.startup:
Quote:
echo Binding HTTPS certifcate
grep -q -e "/etc/host.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/host.pem /etc/host.pem
grep -q -e "/etc/cert.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/my_certificate.pem /etc/cert.pem
grep -q -e "/etc/key.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/my_key.pem /etc/key.pem
grep -q -e "/etc/privkey.pem" /proc/mounts || mount -o bind ${MOUNT_PATH}/etc/my_privkey.pem /etc/privkey.pem

stopservice httpd
startservice httpd


...and I have the following in /jffs/etc/:
    host.pem
    cert.pem
    key.pem
    privkey.pem


Many thanks for your help and input!!!


Question
Goto page Previous  1, 2, 3, 4  Next Display posts from previous:    Page 2 of 4
Post new topic   Reply to topic    DD-WRT Forum Index -> Contributions Upload All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum