Adding user created ssl certificates

Post new topic   Reply to topic    DD-WRT Forum Index -> Generic Questions
Author Message
shinji257
DD-WRT User


Joined: 02 May 2007
Posts: 222

PostPosted: Fri Feb 22, 2008 20:25    Post subject: Adding user created ssl certificates Reply with quote
Ok. I am going to be trying to do this via the firmware modification kit however I want to try it this way. If I don't then I will have to rebuild the firmware to replace the certificate every year. This is my plan

After boot and after jffs but before https do the following...

Check for the existance of /jffs/ssl/key.pem and /jffs/ssl/cert.pem

If it doesn't exist then copy /etc/ssl/key.pem and /etc/ssl/cert.pem to /tmp/ssl

If it does exist then copy /jffs/ssl/key.pem and /jffs/ssl/cert.pem to /tmp/ssl

The symlinks will be located at /etc/key.pem and /etc/cert.pem and will point to /tmp/ssl

Unfortunately the copy has to happen each bootup. The main thing is what is the current initialization order of items. Which one loads first? HTTPS or JFFS? Also where is the command that actually starts the https daemon?
Sponsor
shinji257
DD-WRT User


Joined: 02 May 2007
Posts: 222

PostPosted: Fri Feb 22, 2008 23:01    Post subject: Reply with quote
Ok. I've written preliminary alpha level scripts. It is doing this right now.

Checks to see if https mode is enabled at all. If it is then it proceeds otherwise we don't need to bother.

user-cert.startup
Code:

#!/bin/sh
if [ `nvram get https_enable` -gt 0 ] && [ `nvram get httpsd_enable` -gt 0 ]; then
   if [ `pidof httpd` -gt 0 ]; then
      stopservice httpd
      HTTPS_RESET=1
   fi   
   cp /etc/ssl/cert.pem /tmp/etc/cert.pem
   cp /etc/ssl/key.pem /tmp/etc/key.pem
   cp /etc/ssl/privkey.pem /tmp/etc/privkey.pem
   if [ `nvram get enable_jffs2` -gt 0 ] && [ `nvram get sys_enable_jffs2` -gt 0 ]; then
      if [ -e /jffs/ssl/cert.pem ] && [ -e /jffs/ssl/key.pem ] && [ -e /jffs/ssl/privkey.pem ]; then
         cp /jffs/ssl/cert.pem /tmp/etc/cert.pem
         cp /jffs/ssl/key.pem /tmp/etc/key.pem
         cp /jffs/ssl/privkey.pem /tmp/etc/privkey.pem
      fi
   fi
   if [ "$HTTPS_RESET" = "1" ]; then
      startservice httpd
      unset HTTPS_RESET
   fi
fi


EDIT: This script is currently only tested on Eko's Pre-RC7 9081 build. So far it is currently fully working and went through all the different parts as expected. I still need to get my own cert though but that shouldn't be hard.

EDIT2: Ok. Here is the final code. It is all tested. You will either need to build a copy of the firmware with this file located in /etc/config and make it executable or ask me to make one for you and specify which firmware version you want it done on. There is no web interface. Copy your private key (encrypted and non-encrypted version) as well as your signed certificate to /jffs/ssl and it will be found by this script to use.

These files are checked for. I will describe which is which.

privkey.pem -- The encrypted private key
key.pem -- The unencrypted version of the above key
cert.pem -- The signed key from a CA

You can use any number of free certificates if you want or even a self-signed certificate if you wanted to. If it does not find them then it will use the certificate supplied in the firmware.
seanvree
DD-WRT User


Joined: 09 Sep 2015
Posts: 92

PostPosted: Tue May 31, 2016 2:02    Post subject: Reply with quote
Hey guys, thanks for this,

I"m using Firmware: DD-WRT v3.0-r29620M kongac (05/10/16) on my R7000.

I've already got my keys on my local HD

How do I copy the files to the /jffs, and /ETC directories?

I'm familiar with SSH, but not a linux guru, can someone tell me the commands I need to run?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Generic Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum