Custom TLS SSL certificate

  • TLS (the successor of SSL) is the only secure protocol that is used, but in combination with certificates the term SSL is still used very often.
  • Basic knowledge about TLS-certificates is required, this document expects a certain level of familiarity with TLS and X.509 certificates.
  • Only domains with one sub-domain are supported like hotspot.mywifi.net (no domains without a sub-domain or multiple sub-sub domains)
  • Intermediate certificates have to be appended to the CA file.

Supported formats

  • Certificates have to be in PEM format. Other formats have to be converted upfront.
  • The key file must not be password protected.

Using a custom certificate

Navigate to Network / Settings and click on the tab Custom certificates. Select New certificate … and choose all three needed files (in PEM format) and click one of the Upload buttons. If the certificate matches the uploaded CA and is valid this is shown after the upload.

image

This new certificate/domain can be selected for the Office-LAN and/or Surf-LAN. Click on the corresponding tab and select it under Host- and Domainname.

image

Certificate chain

Order matters!

  1. Begin with the first intermediate certificate
  2. add the next (if any)
  3. and finally add the root CA at the bottom

Format of cert.ca

-----BEGIN CERTIFICATE-----
Intermediate 1 - this is the intermediate certificate that has signed your certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate 2 - this is the second intermediate certificate that has signed "Intermediate 1"
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root CA - the final root CA that signed "Intermediate 2"
-----END CERTIFICATE-----

Wildcard

If you have a wildcard certificate an additional text field for the subdomain is shown in front of the certificate selection.

image

Finally click on Save. You have to reboot the system to see the new domain and it’s certificate.

CSR Generator

With the CSR Generator you can generate your own Certificate Signing Request on the IACBOX which is needed to request a new certificate from any CA.

The use of our CSR Generator is optional and can be used instead of openssl or other tools.

Make sure that you save all the generated data, especially the key file. After generating the CSR request it has to be signed by a CA (certificate authority) of your choice.

The CA will sign and return a new certificate certificate which can uploaded as shown above.

Let’s Encrypt (ACME)

Certificates issued by Let’s Encrypt or any other CA offering ACME (Automated Certificate Management Environment) like ZeroSSL do work when they are uploaded manually, but can not be updated automatically. Because such certificates are only valid for 90 days this is not practical.

  • We do not support a cert-bot right now which is needed to automatically renew the certificate every 90 days.
  • Automated domain validation via HTTP needs the affected webserver to be reachable by this domain (your DNS entry would need to point to the public IP of that location).
  • In addition the Surf-LAN webserver is not accessable from the uplink/Office-LAN side.
  • In most cases custom domains are used on more than one IACBOX which makes it impossible to use such a domain validation as the DNS entry can not point to all IPs needed.
  • But also for the Office-LAN domain this is not practical because the IACBOX usually has no public IP. Port forwardings for 80 and 443 are not wanted due to security reasons. Also if this requirements are met, such a domain could be used on only one system.

Because of all this reasons Let’s Encrypt/ACME is not well suited for internal usage.

Whitelabel partners

For whitelabel partners we’re offering a service that updates the needed custom certificates via our central update servers. This hides the full complexity of this topic. If you are interested to become a whitelabel partner get in touch with us.