(September 28, 2016: This post was update since initial publish. Please scroll to bottom for the changes.)
I have deployed a self-signed root CA to all family devices that I manage. Partly because I use this root CA for pixelserv-tls. I also issue certificates based on this root CA for other applications like IKEv2 IPsec VPN and OpenVPN.
Reasons to issue a certificate for the web interface:
- natural and easy for me as I have the certificate infrastructure in place.
- can access web interface from iOS/Android devices. Don't have to deal with difficulty in accepting new certificates every time ER-X is reset or after firmware upgrade.
- Recently in v1.9, Ubiquiti has introduced a bug that prevents users from loading the Web interface on major browsers other than Google Chrome. Users with root CA + server certificate are not affected.
- Sweet to access the Web interface by hostname and see the green padlock.
Generate a Server Certificate
For pixelserv-tls users, it's very easy to generate a server certificate. Point your host e.g.
erx to pixelserv-tls listening ip, say, 192.168.1.3 in your DNS server. Then access
https://erx from a browser. The certificate file, name
erx is by default found in
/opt/var/cache/pixelserv. This file contains both the public and private key.
For other users, you can use EasyRSA or openssl CLI. If it's your first time doing this, it takes a while. Why not try pixelserv-tls if you happen to have a device that runs Entware-ng?
How to Install the Server Certificate
Prepare the server certificate in a file named,
server.pem which shall contain both the public and private key in that order but not strictly required. e.g.
-----BEGIN CERTIFICATE----- MIICJDCCAQygAwIBAgIEVzB3qTANBgkqhkiG9w0BAQsFADAXMRUwEwYDVQQDDAxQ aXhlbHNlcnYgQ0EwHhcNMTYwNTA5MTE0MjMzWhcNMjYwNTA3MTE0MjMzWjAVMRMw BXyTJZzdfVh6FCcuK3C9iVIqUunOTFA5UkLiVTi/ISDtHSw2UfOcaKXhgpSdq1Fr EASjFekxNwok0j9+oAwO+UOEaXkz+1HV/HFFKG0phQMzkBGyYcbFiHrcaPstbv+/ iz1UQgNbq2ZPPix5cbnm3jQB1P3EnETb+0eghgAMymF+TjctYnMvW7AMMmAqYnsk xS9mCvml/mybfF++wGkObXBUhBcqq4L2 -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALvvWhh1Q0jC6r5p TiLmYRkKw3wgsI2fgEThb1pFV798SLkLBCadbXLwOyQdmaV6UFjw/O+vCGYSuUhV v//+mwbOkG7Mk/g4bEQo4gmbVL4fLPYGB8CZMfGL9i1rZu6YwCPCI6Fp6VE+bNZu n6MN6QJAVtZoC4wEwyt++T/N2qzTKTwr7AxOh6PjHia1BBueu/BbWmxZPwIhn4Rq bSUbRCWSAJWN1VMqFeJkl65/UBtVUQJAJxc5UYbrYzZYQGqnO72D/vVJq76Zyj/B vUuSa6F/KwDWUts= -----END PRIVATE KEY-----
Step 1: Save
/config/auth/ on ER-X.
Step 2: Go to
sudo rm server.pem #remove the original file sudo ln -s /config/auth/server.pem server.pem #create a symbolic link
Step 3: Bounce lighttpd to take effect.
sudo killall -SIGINT lighttpd sudo /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
The symlink will survive reboot but most likely to go away after firmware upgrade. Let's find a proper fix for that next time.
Update: September 28, 2016
Just found out EdgeOS CLI provides commands to set the GUI's certificate. Here we go:
$ configure $ set service gui cert-file /config/auth/server.pem $ commit $ save
This way the certificate setting shall persist across reboots and firmware upgrade. Clean and neat!