How to create a Self-Signed Certificate and Import it to a Peplink Product


#1

Peplink routers can use certificates to apply that extra security to VPN connections, the Web Admin interface, the Captive Portal and for Mediafast devices to cache and deliver HTTPS content.

image

You can generate a self-signed certificate using open source software such as OpenSSL.
The instructions below are for Windows, but are similar for other Operating Systems.

Step 1 - install OpenSSL

OpenSSL software can be downloaded from the internet and is available for Windows, Linux and MacOS.
A quick search on the internet will lead you to a website to download the OpenSSL installer.
For this example, we downloaded a non light version of Wind32 Open SSL from : https://wiki.openssl.org/index.php/Binaries
After downloading; run the downloaded .exe file and follow the installation instructions.

Step 2 - Generate a private key

Once OpenSSL is installed, follow these steps to generate and apply a self-signed certificate.

In Windows, open a command prompt.
Change directory to the folder in which OpenSSL is installed (in this example C:\OpenSSL-Win32\bin )

Type the following command at the prompt and press Enter:

● openssl.exe genrsa -out private.key 2048

image

Step 3 - Generate a Certificate Signing Request (CSR)

Type the following command at the prompt and press Enter:

● openssl.exe req -out mycsr.csr -key private.key -new -sha256

You are prompted to fill in the following required fields, also shown in the example below.

Counttryname
Statename
Locality Name
Organization Name
Organizational Unit Name
Common Name
Emailaddress

image

Step 4 - Generate a Certificate Signing Request (CSR)

Both a private key and the CSR have now been created and we can create a self-signed certificate using both the private key and the CSR.

Type the following command at the prompt and press Enter:

● openssl x509 -req -sha256 -days 365 -in mycsr.csr -signkey private.key -out mycert.crt

image

Step 5 - import the private key and self-signed certificate into the Balance router

Open Windows Explorer and browse to the newly created private key and certificate as shown below.

image

We are now ready to import the private key and self-signed certificate into the Balance router
Log into the web admin of the Balance router and navigate to ‘Network’ > ‘Misc Settings’ > ‘Certificate Manager’.
Click on the ‘Edit’ button at ‘Web Admin SSL Certificate’.

image

A new window will pop up.

image

Use notepad to view the private key file.
Copy and paste the private key file’s content to the ‘Private Key’ field.
Make sure you enable ‘This key is encrypted’ and put in the correct password.

image

Use notepad to view the self-signed certificate file
Copy and paste the self-signed certificate file’s content to the ‘Local Public Key Certificate’ field.

Click ‘Save and Apply’ button to upload the private key and self-signed certificate to the Peplink router.

image

Step 6 - Verify the certificate

image


I bought a Digicert SSL Certificate and need help
#2

#4

#5

Thanks for the post, but this only provides so much understanding. I’m using a surf soho, and would like to implement certificates for all of my devices. Can you explain why we are using a certificate generated by openssl for our VPN Configuration? Furthermore, I am using a Mac. Can any of this be done using mac’s keychain assistant instead? Lastly, I am having a difficult time understanding the difference between the CSR and the CRT. If I am correct, the Private.key and .CRT files are the ones uploaded to the peplink device, but then what do we do with the leftover .csr file? Lastly, after changing certificates and going back to the routers web admin page, it shows a notice of an invalid certificate and that I might be connecting to a hacked device etc. etc. I understand that this is normal because my router is operating under a private IP address and doesn’t have a publicly signed certificate (Correct?), but since we created our certificate ourselves, shouldn’t we have something to upload into our keychain before this occurs, to verify that we are indeed connecting to the correct device? I’m familiar with ssh, and in the ssh scenario, you would add your device to your list of known_hosts, in order to prevent a similar message. Is there not a way to do this with ssl on a Mac? Furthermore, I’m not fully understanding why we aren’t keeping the private key on our registered devices, and only keeping the public key on the router, such as would be in an ssh login. Wouldn’t this be the most secure way to access the router… Having a private key on our local device that specifically matches the public key on the router to authenticate access? I guess I am more used to ssh and a bit confused on the difference when creating an ssl private and pub key for ssl. I would really appreciate any further elaboration on all of these differences and how exactly keys/certs/csr’s work. Thanks so much and I appreciate the response!


#6

Wikipedia provides an introduction to how public key infrastructures work (https://en.wikipedia.org/wiki/Public_key_infrastructure?wprov=sfti1) and to self-signed certificates (https://en.m.wikipedia.org/wiki/Self-signed_certificate). There is a ton of other sites and primers on PKI based security strategies available (e.g., https://www.whoishostingthis.com/compare/ssl-certificates/resources/).
Cool stuff! Enjoy!


#7

I will look into this. Thank you!


#8

Quick question for you that I cannot find on google. When creating a self-signed VPN certificate (particularly for peplink products), do you use openssl or do you use another protocol such as PGP? Are these protocols interchangeable for creating VPN certs? If not, which one is the standard? Thanks!