Skip to content

[ASUSWRT] Use Pixelserv CA to issue a certificate for WebGUI

Jump to bottom Edit New page
kvic-z edited this page Sep 15, 2018 · 2 revisions

Introduction

I'm far falling behind on asuswrt and/or merlin variants (circa Mar 2018). I've heard that RT-AC88U and RT-AC5300 support Let's Encrypt in firmware. As a pixelserv-tls user, you have a similar feature for free, and debatably in a more elegant way.

About your Pixelserv CA certificate

Upon pixelserv-tls installation, you're recommended to generate a Pixelserv CA certificate and import this CA cert into your client devices. The detailed steps are document here. If you're using an app that integrates pixelserv-tls, you may also follow its operations to have your CA cert generated.

Your Pixelserv CA is unique and solely owned by you. It is very powerful too. Once imported on and trusted by your client devices, any certificates issued by your CA cert are also trusted (without accepting exceptions to invalid certs). Hence, it comes handy to use your CA cert to issue a server cert for WebGUI.

The benefits of doing so

After each firwmware upgrade, if your NVRAM or /jffs partition are erased due to factory resets, a new certificate will be automatically generated by WebGUI. You'll be prompted with invalid certs. Have to import this cert or grant exception to this cert in your client devices. This is totally unnecessary hassle for pixelserv-tls users.

Recent Firefox (v59) does not trust any self-signed certs. The only way to get a green padlock is to import a CA cert and use that CA cert to generate a server cert for WebGUI. That's exactly pixelserv-tls excels and pixelserv-tls has empowered users to do so since initial release.

config-webgui.sh

To make life easier for less technology savvy users of ASUSWRT, a helper script is developed to automate the process. Simply re-run the script after firmware upgrade. Note that re-running the script does not cause harm. If you see any cert error, feel free to run the script again. Below is the one-liner script:

$ sh -c "$(wget -qO - https://kazoo.ga/pixelserv-tls/config-webgui.sh)"

The script will guide you through the process and

  • allow you to choose your DDNS or router.asus.com for accessing WebGUI
  • use your Pixelserv CA in /opt/var/cache/pixelserv to issue a server cert to WebGUI
  • configure WebGUI with the new certificate
  • let you test before confirming work
  • let you revert to old certificate if test fails

Output of a sample run: https://pastebin.com/AyF9Q7Km

Add a custom footer
Add a custom sidebar
Clone this wiki locally