Custom TLS SSL certificate

  • TLS (the successor of SSL) is the only secure protocol that is used, but in combination with certificates the term SSL is still used very often.
  • Basic knowledge about TLS-certificates is required, this document expects a certain level of familiarity with TLS and X.509 certificates.
  • Only domains with one subdomain are supported, like hotspot.mywifi.net (no domains without a subdomain or multiple sub-subdomains)
  • Intermediate certificates have to be appended to the CA file.

Supported formats

  • Certificates have to be in PEM format. Other formats have to be converted upfront.
  • The key file must not be password protected.

Using a custom certificate

Navigate to Network / Settings and click on the tab Custom certificates. Select New certificate … and choose all three needed files (in PEM format) and click one of the Upload buttons. If the certificate matches the uploaded CA and is valid this is shown after the upload.

image

This new certificate/domain can be selected for the Office-LAN and/or Surf-LAN. Click on the corresponding tab and select it under Host- and Domainname.

image

Certificate chain

Order matters!

  1. Begin with the first intermediate certificate
  2. add the next (if any)
  3. and finally add the root CA at the bottom

Format of cert.ca

-----BEGIN CERTIFICATE-----
Intermediate 1 - this is the intermediate certificate that has signed your certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate 2 - this is the second intermediate certificate that has signed "Intermediate 1"
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root CA - the final root CA that signed "Intermediate 2"
-----END CERTIFICATE-----

Wildcard

If you have a wildcard certificate, an additional text field for the subdomain is shown in front of the certificate selection.

image

Finally click on Save and reboot the system.

CSR Generator

Certificate Signing Requests can be created with the builtin CSR Generator.
A CSR is required in order to obtain a valid certificate from a CA.

The use of our CSR Generator is optional and can be used instead of openssl or other tools.

Make sure to safekeep all of the generated data, especially the key file.
After the CSR generation the request needs to be signed by a CA (Certificate Authority).

The CA will sign and return a new certificate, which can uploaded as shown above.

Let’s Encrypt (ACME)

Certificates issued by Let’s Encrypt or any other CA offering ACME (Automated Certificate Management Environment) like ZeroSSL work when uploaded manually, but cannot be updated automatically. Because such certificates are only valid for 90 days this is not practical.

  • Right now, we do not offer the cert-bot needed to automatically renew the certificate every 90 days.
  • Automated domain validation via HTTP requires this domain to be reachable by the affected web server (the DNS entry would need to point to the public IP of that location).
  • In addition, the Surf-LAN web server isn’t accessible from the uplink/Office-LAN side.
  • In most cases, custom domains are used on more than one IACBOX which makes it impossible to use such a domain validation as the DNS entry can not point to all IPs needed.
  • However, for the Office-LAN domain this is not practical as well because the IACBOX usually has no public IP. Port forwarding for 80 and 443 are undesirable due to security reasons. But even if these requirements are met, such a domain could only be used on one system.

Because of all these reasons Let’s Encrypt/ACME isn’t well suited for internal usage.

White label partners

For white label partners, we’re offering a service that updates the needed custom certificates via our central update servers. This hides the full complexity of this topic. If you are interested in becoming a white label partner get in touch with us.

← NTP-Service
Routing Mode →