Custom Web Admin SSL Certificate Guide - New 6.1 Feature


#1

I was pleased to learn a new feature was available in firmware 6.1, you can now assign a custom SSL certificate to the web administration page. I didn’t see this in the release notes but it was definitely a feature I’ve been waiting for. The Balance does not expose any ability to generate it’s own private key and provide you with a CSR that I could see, so you must provide it both a private and a public key. This can be a little bit arduous configuration for some, so here’s how to do this step by step from a Windows PC.

  1. Open up an MMC and add the certificates snap-in. I chose the local computer store but it probably doesn’t matter since we’re just using this temporarily to generate the certificates we need, we’ll delete everything here later.
  2. Right click the Personal store and choose All Tasks -> Advanced Operations -> Create Custom Request… and the Certificate Enrollment wizard appears.
  3. Step through the wizard. On the Select Certificate Enrollment Policy page, select “Proceed without enrollment policy” and hit next.
  4. On the custom request page accept the defaults (CNG key in PKCS #10 format) and hit next.
  5. The certificate information screen contains the link to the dialog where we’ll do the bulk of our work but it’s easy to miss (whoever designed this wizard I swear…). Click the “Details” disclosure triangle on the right side, then click the properties button. The certificate properties dialog appears.
  6. On the General tab you can put whatever you want, it doesn’t really have any bearing on the actual certificate.
  7. On the Subject tab, set your subject name fields as appropriate. At the minimum you’ll want to set the common name (FQDN of the appliance) and any of the locality fields your CA requires to be filled. I also set some alternative names, primarily the IP addresses for all WAN interfaces where I may access the balance by a specific IP directly. This is not strictly necessary but nice to have.
  8. On the Extensions tab, expand the extended key usage section and add the server authentication option.
  9. On the Private Key tab, you may set the options you wish for the private key. Expand the key options section, and make sure you choose “Make private key exportable”. If we can’t export the private key to give it to the Balance this exercise will be pretty useless. I also increased the key size to 2048 and chose SHA256 for the hash. I’m not sure what server side limitations there may be here on the Balance but these options are pretty standard. Also keep in mind what will be supported in your client side as some older OS/browsers may not support certain options as far as certificate validation goes. SHA256 should not be a problem though unless you’re still running XP SP2 :stuck_out_tongue:
  10. Click ok in the certificate properties dialog, then back in the certificate enrollment wizard click next.
  11. Pick where the save the CSR, leave the encoding as base 64, and click finish.
  12. Submit the CSR file to your CA and receive back your CA signed certificate. I used an internal Windows Server based CA for this purpose since it’s not public facing and I already had one in place. If you don’t have a CA and you don’t know how or don’t want to set one up yourself, you could get it signed by a public CA such as network solutions, godaddy, etc for a small fee.
  13. Import the certificate you received from your CA into the Windows certificate store where you generated the request. Make sure you import it into the same store (eg: local computer personal store).
  14. If you did everything right the certificate should show in the certificates MMC. If you look at the icon it will be a little certificate with a key in the top left corner signifying you possess the private key portion of the certificate. You can verify by double clicking the certificate and seeing that it says “You have a private key that corresponds to this certificate.”
  15. Now we must export the private key from the certificate store so we can import it on the Balance. Right click the certificate and choose All tasks -> Export… and the certificate export wizard appears.
  16. Step through the wizard. Choose yes to export the private key and click next.
  17. Unfortunately when exporting the private key we do not have the option to export it in the base 64 format we ultimately need. We’ll have to fix that later. For now leave the default format PKCS #12. Choose to include all the certificates in the certification path if possible and export all extended properties. You may optionally choose to delete the private key if the export succeeds. We will not need this in our certificate store when we’re done. Click next.
  18. Click the password check box and fill in a strong password. This password will protect the private key inside the PFX file. You will need this later so don’t forget it.
  19. We now have our certificate information in a PKCS #12 format in the .pfx file we exported. We need this in base 64 encoded PEM format to import into the Balance. To do this we will install and use an openssl utility. (Yes we could have just installed this from the start and used it to generate the private key and the CSR but I find it easier and faster to do from the Windows GUI)
  20. You can download and install a Windows compiled version of openssl from http://www.slproweb.com/products/Win32OpenSSL.html
  21. You will probably also need to install the Visual C++ 2008 redistributable from the same site first so follow the link on their website for that as well
  22. Once installed open a command prompt and go to C:\OpenSSL-Win32\bin\ or wherever you installed openssl to
  23. Run the following command to convert the file and enter your password when prompted: openssl pkcs12 -in c:\cert.pfx -out c:\cert.pem –nodes
  24. The -nodes option will leave the PEM file unencrypted. I did this to make it easier to import into the Balance but you can leave it off if you like. I have not tested that though.
  25. Open the PEM file in a text editor. You will notice some bag attribute sections as well as the private and public key(s).
  26. Open the Balance web admin page and navigate to Network -> Certificate Manager. Click assign next to Web Admin SSL Certificate.
  27. Paste the private key and surrounding bag attributes in the private key box, paste the public key(s) and surrounding bag attributes in the public key box. Fill in the password if the private key is encrypted.
  28. If you click show details you can verify it has read the key information correctly.
  29. Click save and apply local certificate.
  30. Done. No need to apply settings or anything. Close your browser window and reopen the web interface to test. If you assigned SANs test those too. At this point you should go either securely erase or securely back up the certificate information you exported from the Windows certificate store. You should note if you must replace or reflash your Balance in the future, you will lose the private key as it will not be exportable from the Balance. So make sure you back it up some place secure if you do not wish to reissue a new one later. Also note if you encrypted the private key on the file you are backing up you should make note of the password as well.

I hope this helps anyone in doubt about how to accomplish this.


#2

Nice tutorial for windows!


#3

This is a well-structured and thorough tutorial on using a custom SSL certificate for the web administration page. Thank you and well done, bberkemier.

For your time on this tutorial, and your willingness to help your fellow forum members, you deserve to be more than a Junior Member of the forum. We will give you a special designation you deserve.

Contributing members, like you bberkemier, will be awarded special designations and will enjoy distinct privileges, including but not limited to, discounted purchases, limited edition products and access to reserved forum areas. We will wrap up the details and announce it on the forum soon.

For those who want to join the league, keep an eye out!


#4

Well shucks, thanks! :smiley:


#5

bberkemier: At step 12, did you select a specific web server type with your CA? I’m up to that point, but Namecheap is asking for a server type, and I’m not sure what’s required. Part of me wants to assume that Apache+OpenSSl would work, since it seems logical that the Balance would be essentially a LAMP box, but there’s no documentation on that point.

Thanks in advance…


#6

What is the concept here?
Is it to install a server cert so that I no longer get the errors about self-signed certs when I access the web UI with

https://192.168.1.x:999

Or, is this a client cert that replaces a password for logging in to the web UI?


#7

It’s the former: Installing your own cert secures your traffic over the admin interface as against forgery by Peplink or someone who stole their root cert.


#8

Thank you.