ER-X - Use TLS Certificate for GUI

(September 28, 2016: This post was update since initial publish. Please scroll to bottom for the changes.)

I have deployed a self-signed root CA to all family devices that I manage. Partly because I use this root CA for pixelserv-tls. I also issue certificates based on this root CA for other applications like IKEv2 IPsec VPN and OpenVPN.

Reasons to issue a certificate for the web interface:

  • natural and easy for me as I have the certificate infrastructure in place.
  • can access web interface from iOS/Android devices. Don't have to deal with difficulty in accepting new certificates every time ER-X is reset or after firmware upgrade.
  • Recently in v1.9, Ubiquiti has introduced a bug that prevents users from loading the Web interface on major browsers other than Google Chrome. Users with root CA + server certificate are not affected.
  • Sweet to access the Web interface by hostname and see the green padlock.

My ER-X Dashboard

Generate a Server Certificate

For pixelserv-tls users, it's very easy to generate a server certificate. Point your host e.g. erx to pixelserv-tls listening ip, say, in your DNS server. Then access https://erx from a browser. The certificate file, name erx is by default found in /opt/var/cache/pixelserv. This file contains both the public and private key.

For other users, you can use EasyRSA or openssl CLI. If it's your first time doing this, it takes a while. Why not try pixelserv-tls if you happen to have a device that runs Entware-ng?

How to Install the Server Certificate

Prepare the server certificate in a file named, server.pem which shall contain both the public and private key in that order but not strictly required. e.g.


Step 1: Save server.pem to /config/auth/ on ER-X.

Step 2: Go to /etc/lighttpd.

sudo rm server.pem        #remove the original file  
sudo ln -s /config/auth/server.pem server.pem   #create a symbolic link  

Step 3: Bounce lighttpd to take effect.

sudo killall -SIGINT lighttpd  
sudo /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf  

The symlink will survive reboot but most likely to go away after firmware upgrade. Let's find a proper fix for that next time.

Update: September 28, 2016

Just found out EdgeOS CLI provides commands to set the GUI's certificate. Here we go:

$ configure
$ set service gui cert-file /config/auth/server.pem 
$ commit
$ save

This way the certificate setting shall persist across reboots and firmware upgrade. Clean and neat!


Stephen Yip

Something about you know. Come and share.

comments powered by Disqus