When it comes to home network security, people always saying I don’t need to worry about that since
When it comes to home network security, people always saying I don’t need to worry about that since it’s my home network, not a corporate network. However, your home network is still connecting to the internet which means exposed to the attackers.
One of a good example is some people remote back in home’s network, like your router, NAS or even FTP etc. If you only using HTTP, anyone who just had a simple traffic capture can see all of your whole paint text traffic, included your password.
In today’s world, not only enterprise need a better security, home network as well. and encrypt your traffic is not that hard, just by enabling HTTPS.
So last time I had my NAS remote HTTPS enabled, today I will use the same free public SSL certificate to upload to my Asus router.
No matter what firmware you are using, the upload SSL process should be the same since the core is a linux system
OK, let’s get started.
0. Clean "https_crt_file" if necessary (SSL renew process)
If you are trying to renew the SSL, or if the https_crt_file is not empty, then we have to clean the https_crt_file first
ricky@Ricky-AC87U:/tmp/home/root# nvram set https_crt_save=0
ricky@Ricky-AC87U:/tmp/home/root# nvram unset https_crt_file
ricky@Ricky-AC87U:/tmp/home/root# service restart_httpd
##############Verify https_crt_file is empty now
ricky@Ricky-AC87U:/tmp/home/root# nvram get https_crt_file
ricky@Ricky-AC87U:/tmp/home/root#
##############Reboot
ricky@Ricky-AC87U:/tmp/home/root# reboot
1. Prepare your public SSL certificate
The certificate format has to be a PEM certificate, which may has the extension by .pem, .crt, .cer, .key
If you would like to know more about differernt certificate format and wants to convert between them, you can found here
Here’s what my certificate looks like
2. Enable SSH on Asus router
Navigate to Administration->System, just enable SSH and apply
Note: I do not recommend enable SSH for WAN, although SSH is a secure protocol, but less ports (doors) to your home is always better
3. Enable HTTPS login for router
Navigate to Administration->System
4. Login to SSH
To login to SSH, a free tool called “PuTTY” is your friend
Just open PuTTY and type in your router’s IP and port
5. Follow the steps below or here to upload your certificate
###############Enable https_crt_save and verify that it was set correctly
ricky@Ricky-AC87U:/tmp/home/root# nvram set https_crt_save=1
###############Verify that https_crt_save is on
ricky@Ricky-AC87U:/tmp/home/root# nvram get https_crt_save
1
##############upload certificate key
ricky@Ricky-AC87U:/tmp/home/root# cat >/etc/key.pem
##############Open your key file in Notepad and paste here, do NOT use “Word Wrap”
#############HIT CTRL+D TO SAVE AND EXIT CAT COMMAND
ricky@Ricky-AC87U:/tmp/home/root#
##############upload certificate
ricky@Ricky-AC87U:/tmp/home/root# cat >/etc/cert.pem
##############Open your cert file in Notepad and paste here, do NOT use “Word Wrap”
##############HIT CTRL+D TO SAVE AND EXIT CAT COMMAND
ricky@Ricky-AC87U:/tmp/home/root#
##############Verify https_crt_file is empty
##############You should see empty here
ricky@Ricky-AC87U:/tmp/home/root# nvram get https_crt_file
ricky@Ricky-AC87U:/tmp/home/root#
##############If the https_crt_file is not empty, please follow the SSL renew process to clean the https_crt_file first
##############Restart httpd
ricky@Ricky-AC87U:/tmp/home/root# service restart_httpd
##############Verify https_crt_file again
ricky@Ricky-AC87U:/tmp/home/root# nvram get https_crt_file
##############You will see your new certificate file like below
##############Reboot
ricky@Ricky-AC87U:/tmp/home/root# reboot
6. Verification
After the reboot, let’s test the result
That’s my own SSL certificate, no warning anymore
