Posted: Fri Feb 22, 2008 20:25 Post subject: Adding user created ssl certificates
Ok. I am going to be trying to do this via the firmware modification kit however I want to try it this way. If I don't then I will have to rebuild the firmware to replace the certificate every year. This is my plan
After boot and after jffs but before https do the following...
Check for the existance of /jffs/ssl/key.pem and /jffs/ssl/cert.pem
If it doesn't exist then copy /etc/ssl/key.pem and /etc/ssl/cert.pem to /tmp/ssl
If it does exist then copy /jffs/ssl/key.pem and /jffs/ssl/cert.pem to /tmp/ssl
The symlinks will be located at /etc/key.pem and /etc/cert.pem and will point to /tmp/ssl
Unfortunately the copy has to happen each bootup. The main thing is what is the current initialization order of items. Which one loads first? HTTPS or JFFS? Also where is the command that actually starts the https daemon?
Ok. I've written preliminary alpha level scripts. It is doing this right now.
Checks to see if https mode is enabled at all. If it is then it proceeds otherwise we don't need to bother.
user-cert.startup
Code:
#!/bin/sh
if [ `nvram get https_enable` -gt 0 ] && [ `nvram get httpsd_enable` -gt 0 ]; then
if [ `pidof httpd` -gt 0 ]; then
stopservice httpd
HTTPS_RESET=1
fi
cp /etc/ssl/cert.pem /tmp/etc/cert.pem
cp /etc/ssl/key.pem /tmp/etc/key.pem
cp /etc/ssl/privkey.pem /tmp/etc/privkey.pem
if [ `nvram get enable_jffs2` -gt 0 ] && [ `nvram get sys_enable_jffs2` -gt 0 ]; then
if [ -e /jffs/ssl/cert.pem ] && [ -e /jffs/ssl/key.pem ] && [ -e /jffs/ssl/privkey.pem ]; then
cp /jffs/ssl/cert.pem /tmp/etc/cert.pem
cp /jffs/ssl/key.pem /tmp/etc/key.pem
cp /jffs/ssl/privkey.pem /tmp/etc/privkey.pem
fi
fi
if [ "$HTTPS_RESET" = "1" ]; then
startservice httpd
unset HTTPS_RESET
fi
fi
EDIT: This script is currently only tested on Eko's Pre-RC7 9081 build. So far it is currently fully working and went through all the different parts as expected. I still need to get my own cert though but that shouldn't be hard.
EDIT2: Ok. Here is the final code. It is all tested. You will either need to build a copy of the firmware with this file located in /etc/config and make it executable or ask me to make one for you and specify which firmware version you want it done on. There is no web interface. Copy your private key (encrypted and non-encrypted version) as well as your signed certificate to /jffs/ssl and it will be found by this script to use.
These files are checked for. I will describe which is which.
privkey.pem -- The encrypted private key
key.pem -- The unencrypted version of the above key
cert.pem -- The signed key from a CA
You can use any number of free certificates if you want or even a self-signed certificate if you wanted to. If it does not find them then it will use the certificate supplied in the firmware.