Custom TLS SSL certificate

  • TLS (the successor of SSL) is the only secure protocol that is used, but in combination with certificates the term SSL is still used very often.
  • Basic knowledge about TLS-certificates is required, this document expects a certain level of familiarity with TLS and X.509 certificates.
  • Only domains with one subdomain are supported, like hotspot.mywifi.net (no domains without a subdomain or multiple sub-subdomains)
  • Intermediate certificates have to be appended to the CA file.

Supported formats

  • Certificates have to be in PEM format. Other formats have to be converted upfront.
  • The key file must not be password protected.

Using a custom certificate

Navigate to Network / Settings and click on the tab Custom certificates. Select New certificate … and choose all three needed files (in PEM format) and click one of the Upload buttons. If the certificate matches the uploaded CA and is valid this is shown after the upload.

image

This new certificate/domain can be selected for the Office-LAN and/or Surf-LAN. Click on the corresponding tab and select it under Host- and Domainname.

image

Certificate chain

Order matters!

  1. Begin with the first intermediate certificate
  2. add the next (if any)
  3. and finally add the root CA at the bottom

Format of cert.ca

-----BEGIN CERTIFICATE-----
Intermediate 1 - this is the intermediate certificate that has signed your certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate 2 - this is the second intermediate certificate that has signed "Intermediate 1"
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root CA - the final root CA that signed "Intermediate 2"
-----END CERTIFICATE-----

Wildcard

If you have a wildcard certificate, an additional text field for the subdomain is shown in front of the certificate selection.

image

Finally click on Save and reboot the system.

CSR Generator

Certificate Signing Requests can be created with the builtin CSR Generator.
A CSR is required in order to obtain a valid certificate from a CA.

The use of our CSR Generator is optional and can be used instead of openssl or other tools.

Make sure to safekeep all of the generated data, especially the key file.
After the CSR generation the request needs to be signed by a CA (Certificate Authority).

The CA will sign and return a new certificate, which can uploaded as shown above.

Automated Certificate Renewal - ACME

ACME stands for Automated Certificate Management Environment and was invented by Let’s Encrypt, which offers domain validated certificates for free. There are also more and more commercial Certificate Authorities adapting to this standard. Right now the IACBOX does not support the automated renewal, but this will change in 2025.

Announcement

ACME support is now on the roadmap for v24 as the Browser/CA forum decided in April 2025 to reduce the lifetime of certificates to

  • 200 days on March 2026.
  • 100 days on March 2027.
  • 47 days on March 2029.

Planned features

  • ACME client: Support the ACME DNS challenge to be able to renew certificates, although the IACBOX is not reachable from the internet.
  • Batch-API: New endpoint to upload certificates after the (centralized) renewal was made on other servers.

Certificate update

  • The certificate for the default domain (hotspot.internet-for-guests.com) is automatically updated via online update (nothing changes there).
  • White Label Partners are advised to delegate the certificate renewal to us, so any number of systems can be updated automatically via our update servers. This can be done via a special DNS CNAME record like: _acme-challenge.yourdomain.com pointing to our renewal service. Please get in touch with us to get the details.

White label partners

For white label partners, we’re offering a service that updates the needed custom certificates via our central update servers. This hides the full complexity of this topic. If you are interested in becoming a white label partner get in touch with us.

← NTP-Service
Routing Mode →