Certificates for OpenVPN Balance 20X

Glenn_Moller_NC · November 15, 2022, 2:32pm

Hi All

So i have read all the posts in this forum, and there does not seem to be the perfect answer to this question.

So my question is, how do we revoke the certificate there is already in the Balance 20X, and then generate a new self signed certificate for usage in the OpenVPN profile you download from the Status page. ?

Next if not possible the above.

Where is the guide to make a certificate you can use with OpenVPN, I know there is and edit button on Network → Certificate Manager → OpenVPN CA, but what do we need to paste in these boxes, as if we go to a certificate authority, we need a .CSR certificate to match the router and then get everything to paste here.

Any one there can help in this matter, or struggle or have fixed this issue before.

/Glenn

Paul_Mossip · November 15, 2022, 7:04pm

You cannot revoke self signed certificates. Only certificates issued by a CA.

You only need to generate a new one, and it replaces the default.

google for “openssl self sign certificate” for guides on how to do this.

Or similar guides for Windows.

Glenn_Moller_NC · November 16, 2022, 11:22am

Hi Paul

Many thanks for your reply.
I am really new to this certificate problem, therefor i try to understand this, as we have client want to have their own certificate, and i am trying to help them as much as i can.

So in the window, and to the OpenVPN certificate manager you need a Private Key and a local public key certificate both of them Pem encoded.

So question is, the key file is that the result of this file in the link you sent = -key.pem (Is this the signing key ?)
And the Certificate is the = cert.pem = This need to be signed by a signing key

Or even better, do you know what i should request from Comodo, GoDaddy or digicert example, then i would just request that, but then they send me some files, as i have done that before, but that does not match this private key and local public key certificate.

It could also be, if i can remake the self signed one on the peplink router, that is also an option you know generate a new one, but that option is not their either.

Sorry for my stupid questions

Have a nice day.
/Glenn

Paul_Mossip · November 16, 2022, 2:40pm

The peplink device doesn’t generate keys or manage certificates… Therefore you need to generate your own private keys on another device, self sign them and then import them.

The link above included a unix one liner to do the whole thing under answer #1.

key.pem is the private key
cert.pem is the self signed cert that matches with key.pem.

In this particular case there is no benefit to using a Comodo, Digicert etc certificate as the trust chain is not used by OpenVPN, It only accepts the single cert in the .ovpn file that you download.

Xerxes · November 16, 2022, 2:56pm

Here’s the instructions I saved for myself specifically for a Peplink Balance router. Hopefully, these help!

Note that Chrome has become much more strict in recent versions. You can’t generate a self-signed SSL cert longer than 365 days, or it will consider it invalid. Also, Chrome is checking the Subject alt names for DNS and IP addresses. So you’ll want to make sure you add those in there. I generate a single SSL cert for the several Peplink devices I use, and reuse the cert amongst them. You can generate separate certs if you’d like.

Full steps:

Install the most recent Windows version of OpenSSL on your machine and ensure the binary is in your path, or reference the exe by the full path.
Open Command Prompt and run the following:
“c:\Program Files\OpenSSL-Win64\bin\openssl.exe” req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout peplink.key -out peplink.crt -subj “/CN=yourdomain.com” -addext “subjectAltName=DNS:balanceone.yourdomain.com,DNS:balancelte.yourdomain.com,IP:10.0.0.1,IP:10.0.1.1”
Where youdomain.com is, replace with whatever local domain you want to use and will enter local DNS records for. Also, update the IPs to match your local devices.
Import peplink.key to Chrome Cert Store: chrome://settings/security?search=certificate
Cert must be imported into the “Trusted Root Certificate Authorities” tab.
Open Peplink router config, goto Network > Misc Settings > Certificate Manager > Web Admin SSL.
Click Edit (pencil) button.
Upload contents of peplink.key into “Private Key”
Upload contents of peplink.crt into “Local Public Key Certificate”
Save and Apply settings button.
Add local DNS entries to match “balanceone.yourdomain.com” or whatever you’re using.
Restart all instances of Chrome/your browser.

Now the SSL warnings will finally go away and things will work as expected, vs having to click a few extra things to bypass the cert warnings in the browser.

Xerxes · November 16, 2022, 3:01pm

Editing posts seems to be broken on the forums. Tried in two different browsers.

Be sure to change “-days 3650” to “-days 365”.

Glenn_Moller_NC · November 17, 2022, 3:20pm

Thanks to both of you for the feedback that made it much more clear special the one you send poul, that we dont need the CA’s in this, as OpenVPN does not look at it, and you are right there are not validation in this case.

Thanks for the guide in creating the certificat Xerxes, that also made it very clear to me.

And good to have this post now, i had been looking for theese answers for a long time

So many thanks and for the time from both you to answer my post.

/Glenn