Custom SSL certificates

Eric Sauvageau edited this page Jun 29, 2017 · 1 revision

Web interface (HTTPS support)

Starting with 380.67, Asuswrt-Merlin can now use your own SSL certificate for securing the management webui. This can be useful if you generate your certificate using your own CA which you have stored in your client devices, or if you obtain a valid certificate from a known CA.

To do so, you must first enable persistent certificate support, on the Administration -> System page. Under the Web Interface section make sure that the Authentication Method is set to either HTTPS or Both. Then, set Use persistent certificate to Yes, then press Apply.

Now, your router is going to use a self-signed certificate, and store it on the JFFS partition. The next step is to connect to your router over SSH or SCP, then store your own key and certificate files into the /jffs/ssl/ directory. There should already be a key.pem and cert.pem file there, which are the key and self-signed certificate generated by your router. Replace these two with yours. They must be in PEM format, which looks something like this:

-----BEGIN CERTIFICATE-----
a series of random characters
on multiple lines
-----END CERTIFICATE-----

Then, restart the router's web server to make it use the new provided certificate. Run the following command over SSH:

service restart_httpd

After that, if you access your router over HTTPS (don't forget to specify the port, which by default will be 8443), it should be using your new certificate.

FTP server (TLS support)

You can also provide your own key/cert for the FTP server. They must also be stored under /jffs/ssl/ and named ftp.key and ftp.crt.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.