Note: I shamelessly copied the whole postÂ Steve Jenkins his blog, due to it being offline and requiring a safe place for this info…
As with all UBNT products, the EdgeMAXÂ EdgeRouter products areÂ notÂ consumer-targeted devices. Ubiquiti makesÂ business-classhardware onlyâ€¦ so setting up most of their devices takes at least â€œpro-sumerâ€ level ability. And with their EdgeRouter products, I recommend some network admin experience via the Linux command line (and at least a quick glance at theirÂ EdgeOS CLI Primer).
But if thatâ€™s you, and youâ€™re sickÂ of your browser warning you about an invalid certificate when you access your EdgeRouter admin interface, hereâ€™s theÂ easy way to install your own custom SSL certificate on an EdgeRouter.
Step 1: Point a FQDN at your Router
Because an SSL certificate checks the validity of the hostname and/or domain name of the web server youâ€™re accessing,Â you need to set up a FDQN (fully qualified domain name) to point at your EdgeRouter. Depending on how you access your routerâ€™s admin interface, and you could do this in a number of ways, and Iâ€™ll include a few examples below usingÂ hostname.example.com.Â Of course, youâ€™ll need to use aÂ hostname of your own choosing, as well as an actual domain name for which you haveÂ the ability toÂ create certificates at a signing authority. You could justÂ create a self-signed certificateÂ in the EdgeMAX CLI (Iâ€™ve done it), but browsers like Chrome still wonâ€™t like that. Using a real certificate from a signing authority is what weâ€™re looking to do here.
Example 1: If you only haveÂ internalÂ access to your routerâ€™s admin GUI (which is the default), and youâ€™re using your EdgeRouter as aÂ local DNS resolver/forwarder (which is common), you can map a hostname to the internal IP of your router with the following command from the EdgeRouterâ€™s CLI:
# set system static-host-mapping host-name hostname.example.com inet 192.168.1.1
You can test it from the EdgeOSÂ CLI with:
# /bin/ping hostname.example.com
UPDATE:Â As ofÂ EdgeOS 1.8, you can use the DNS host names feature wizard to handle this from the GUI. Put the full FQDNÂ in theÂ Host NameÂ field, ignore theÂ AliasÂ field, put your routerâ€™s internal IP address in theÂ IP AddressÂ field, then hitÂ Apply.
Example 2: If youâ€™ve got access to the zone file for your domain (or youâ€™re using a hosted DNS service likeÂ CloudFlare),Â you can createÂ anÂ A recordÂ for the EdgeRouterâ€™s internal IP address like this:
hostname.example.com. IN A 192.168.1.1
Example 3: If you only access the EdgeRouter from one or two systemsÂ on your internal network, you canÂ add an entry to eachÂ systemâ€™sÂ hostsÂ fileÂ andÂ pointÂ hostname.example.comÂ to 192.168.1.1. Depending on your system (Windows, Mac, or Linux), your local hosts file location will vary. But Iâ€™m guessing that if you know enough to know that you want to use a real signed certificate with your EdgeRouter, you probably know where you local hosts file lives.Â ðŸ™‚
Example 4: This example assumes youâ€™re willing to live with the security risks, and that youâ€™ve opened up the firewall onÂ your EdgeRouter to allow access to the admin interface from the WAN (if you want to do this, I recommend doing it on a non-standard port). It also assumes that youâ€™re running your EdgeRouter on a dynamic IP address (like most home users would) and youâ€™reÂ using a DDNS service to point to your WAN IP (Iâ€™ve usedÂ Afraid.org since my DD-WRT router days). You wonâ€™t have authority to get a signed certificate for domainÂ name owned by your DDNS provider. So instead, create aÂ C recordÂ in the zone file for a domain you do control (likeÂ example.com), thenÂ point the C record at the FQDN of your DDNS hostname. If your DDNS hostname isÂ ubnt.dyndns.org, create the following C record in the zone file ofÂ example.com:
hostname IN CNAME ubnt.dyndns.org.
There are obviously a number of ways to point a FQDN at either the internal (LAN) or external (WAN) IP address of your router, but whatever method you choose, just make sureÂ that when youâ€™re all done, an actual hostname and aÂ domain name you controlÂ (or for which you have authority to generate signed certificates) resolves to anÂ IP address that loads your routerâ€™s GUI.
Step 2: Generate a Key and Certificate Signing Request on the EdgeRouter
SSH to the CLI on your EdgeRouter, then get super-user privileges with:
$ sudo -i
I like to â€œcheatâ€ at this part of the process and useÂ DigiCertâ€™s OpenSSL CSR WizardÂ to generate the OpenSSL command needed to generate the key and certificate signing request files. Start by filling out the Certificate Details:
Once all the details are entered, hit theÂ GenerateÂ button to create the OpenSSL command youâ€™llÂ run from the EdgeRouterâ€™s CLI command line:
Copy the command and paste it into the EdgeRouter CLI as the super-user. Because SHA-1 certificates are set to expire after December 31, 2017, I recommend manually adding theÂ -sha256Â flag to the commandÂ to make sure your certificateÂ is up-to-date.
# openssl req -sha256 -new -newkey rsa:2048 -nodes -out hostname_example_com.csr -keyout hostname_example_com.key -subj "/C=US/ST=Washington/L=Seattle/O=My Company LLC/OU=Network Ops/CN=hostname.example.com"
The output will look something like this:
Generating a 2048 bit RSA private key ......................................................+++ ................................................................+++ writing new private key to 'hostname_example_com.key' -----
Do anÂ lsÂ of theÂ /root/Â directory, and you should see two newly created files:Â hostname_example_com.keyÂ (your private key) andÂ hostname_example_com.csrÂ (your certificate signing request).
Step 3: Create the Certificate at your Signing Authority
Display the contents of your newly-created certificate signing request with:
# cat hostname_example_com.csr
Copy the contents of your CSR to your local clipboard, and be sure to include the first and last lines that sayÂ BEGIN CERTIFICATE REQUESTÂ andÂ END CERTIFICATE REQUEST.
Log in to the certificate authority of your choice. I likeÂ StartSSL, and I use one of their 100% free SSL certificates on my EdgeRouter (Iâ€™ve also written a post on how toÂ get a free SSL cert from them for use with TLS in Postfix). Paste the contents of your CSR intoÂ yourÂ certificate authorityâ€™s interface. Once theyâ€™ve generated the signed certificate, you can either download the file it then upload it to theÂ /root/Â directory of your EdgeRouter, or do what I do: copy the certificateâ€™s contents to the local clipboard, then useÂ viÂ to create aÂ hostname_example_com.crtÂ file in the EdgeRouterâ€™s CLI, paste the certificateâ€™s contents in the newÂ .crtÂ file, then save and exit. Either way, weâ€™ll assume you can figure out how to get theÂ signed certificate into theÂ /root/Â directory (and weâ€™ll assume itâ€™s namedÂ hostname_example_com.crt).
Step 4: Merge the Contents of your Key and Certificate File into a .pem file
Back in the EdgeRouter CLI, combine the contents of your private key and the signed certificate into a file calledÂ server.pemÂ with:
# cat hostname_example_com.key hostname_example_com.crt > server.pem
Step 5: Backup the Existing .pem file
Make a backup of the existing .pem file located in the EdgeRouterâ€™s web server directory, so itâ€™s easy to restore in case anything goes wrong:
# cp /etc/lighttpd/server.pem /root/server.pem.bak
Step 6: Copy the .pem file to the Web Server Directory
Overwrite the existingÂ server.pemÂ in the EdgeRouterâ€™s web server directory with the new one you just created:
# cp /root/server.pem /etc/lighttpd/server.pem
Step 7: Reboot and Test
In order to start using yourÂ new certificate, the EdgeRouterâ€™s web server needs to be restarted.Â YouÂ couldÂ reboot the entire routerâ€¦ but youâ€™d lose Internet access for the few minutes itâ€™s down (and anyone watching Netflix in the house while you do that will yell). Instead, since youâ€™re already the super-user, stop the web server with:
# kill -SIGINT $(cat /var/run/lighttpd.pid)
then start it again with:
# /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
FYI â€“ these same commands will work withÂ sudoÂ if you ever need to restart the EdgeRouter web server while not the super-user.
Now go to your web browser and pull upÂ the EdgeRouterâ€™s admin interface from your browserÂ using the FQDN you chose in Step 1Â (if you use theÂ IP address, youâ€™ll still get the certificate error). You should no longerÂ receive the warning from your browser, and theÂ https:Â in your address bar wonâ€™t be red, or crossed out, or whatever your browser does to tell you itâ€™s unhappy.
Congratulations! You just installed a valid SSL certificate for the admin interface in yourÂ EdgeMAX EdgeRouter!
Your questions, comments, and feedback areÂ welcome below!