TLS/SSL certificates for a server

Transport_Layer_Security (TLS, formerly called SSL) is used to encrypt and protect communication. When a webserver works with regular HTTP protocol i.e. its address starts with http but over the encrypted TLS this called HTTPS and a site address starts with https. For all HTTPS sites a web browser shows a lock icon in an address bar. For enabling HTTPS for a website's domain we need a private key and it's TSL certificate that was signed by a Certificate Authority (CA).

The OpenWrt admin site LICI by default supports the HTTPS so you can open it with httpS://192.168.1.1/. But it's certificate is self signed and not verified by a CA so your browser will show a warning.

You can buy a TLS cert but nowadays the Let's Encrypt CA allows to sign and verify certificates for free with a certbot program that uses ACME protocol. The only problem is that the certificate will have a short period of validity and you have to configure certificate renewal.

There is few ACME clients that automates the cert issuing:

• certbot is an official ACME client that is feature rich but is too heavy for small OpenWrt routers.
• acme.sh is small ACME client that uses shell script and has a LUCI app to configure. This is a recommended for OpenWrt.
• uacme lightweight ACME client written in plain C with minimal dependencies: libcurl and one of MbedTLS, OpenSSL or GnuTLS.
• Many others ACME Client Implementations

If you have already taken care of certificate automation see also Installing a publicly trusted certificate.

Use a command line and type opkg install acme luci-app-acme then edit /etc/config/acme and restart it with service acme restart.

Open LUCI dashboard then in main menu go to System / Software. Then click on Update lists... to load list of available packages. The into the Filter search type luci-app-acme and press Enter. Click on install button. It should install acme.sh and its LUCI app to configure.

To configure in LUCI in the main menu open Services / ACME certs. Basic configuration:

• Account email: put your email to receive expiry notices when your certificate is coming up for renewal.
• You'll see a preconfigured EXAMPLE domain. We can change it for ourselves:
• Enabled: Click to enable
• Use staging server: unselect the check
• Use for uhttpd: you probably better to unselect this if not sure.
• Key size: Select ECC 256 bits. The key will be based on an elliptic curve which is more efficient than RSA.
• Domain names: change the example.org to your domain
• Click on Save and Apply

Now you'll need to wait for some time while the certificate will be generated. After that you can find the certificates in /etc/acme/YOURDOMAIN_ecc folder e.g.:

• /etc/acme/YOURDOMAIN_ecc/YOURDOMAIN.key the TLS private key. Never share it!
• /etc/acme/YOURDOMAIN_ecc/fullchain.cer the TLS certificate and chain of CA that signed it.

You can use them in nginx, uhttpd, lighttpd, EmailRelay and any other server that you want to configure with TLS.

See HTTPS Enable and Certificate Settings and Creation or Getting rid of LuCI HTTPS warnings.

As stated above:

For enabling HTTPS for a website's domain we need a private key and it's TSL certificate that was signed by a Certificate Authority (CA).

But what if you have your private Certificate Authority in your infrastructure? In that case, your CA will sign your certificate but the root certificate (the one from the private CA) won't be trusted by your system. It needs to be installed and added to the system's trust store.

Steps are as follow:

1. Get the root CA certificate
2. Install the root CA certificate
3. Add the root CA certificate to the system's trust store
4. A helper script

For this documentation we will assume:

• The CA name is ca.private-domain.tld
• The CA server is accessible at ca.private-domain.tld, port 443
• The CA cert filename is ca.private-domain.tld.cert

Let's get the root CA cert.

openssl s_client -connect ca.private-domain.tld:443 < /dev/null > /tmp/temporary.out
openssl x509 -outform PEM < /tmp/temporary.out > /tmp/ca.private-domain.tld.cert
rm /tmp/temporary.out

Note: Don't forget to remove the temporary file /tmp/temporary.out

Trusted certificates are installed in /ect/ssl/certs. However, it is a good practice to follow the FHS 3 and use /usr/local/share for architecture-independant files.

mkdir -p /usr/local/share/ca-certificates
mv /tmp/ca.private-domain.tld.cert /usr/local/share/ca-certificates/
ln -s /usr/local/share/ca-certificates/ca.private-domain.tld.cert /ect/ssl/certs/ca.private-domain.tld.cert
chmod ugo-x

The certificate is installed but not yet trusted. You need to provide its hash.

# Generate the hash
HASH="$(openssl x509 -hash -noout -in /ect/ssl/certs/ca.private-domain.tld.cert).0"
 
# Display the hash value
echo "$HASH"
 
# Link the hash to the certificate
ln -s "/ect/ssl/certs/ca.private-domain.tld.cert" "/ect/ssl/certs/$HASH"

Note: If another cert has the same hash use suffix .1 or .2 instead of .0.

Congratulations, you've installed and trusted your root CA certificate.

CA_NAME="ca.private-domain.tld"
CERT_FILE="$CA_NAME.cert"
CERT_INSTALL_DIR="/usr/local/share/ca-certificates"
CERT_PATH="${CERT_INSTALL_DIR}/${CERT_FILE}"
 
openssl s_client -connect ${CA_NAME}:443 < /dev/null > /tmp/temporary.out
mkdir -p "$CERT_INSTALL_DIR"
openssl x509 -outform PEM < /tmp/temporary.out > "$CERT_PATH"
HASH="$(openssl x509 -hash -noout -in $CERT_PATH).0"
echo "$HASH"
 
ln -s "$CERT_PATH" "/etc/ssl/certs/$CERT_FILE"
ln -s "/etc/ssl/certs/$CERT_FILE" "/etc/ssl/certs/$HASH"
ls -al "/etc/ssl/certs/$HASH"
 
rm /tmp/temporary.out