Windows CA Certificate for Ubiquiti EdgeRouter

If you are one of those that wants or needs to generate a certificate for your EdgeRouter from a Windows Certificate Authority, here is what you will need to do.

First, the certificate authority will need a web server certificate template that allows for exporting of the private key. The default Windows CA Web Server template does not.
Run certtpml.msc for the Certificate Templates Console from the Certificate Server.
We need to copy the Web Server certificate template, so right-click on it and “Duplicate.”

On the General tab, give it a display name and increase the validity if you want.

Then go to Request Handling tab and check “Allow private key to be exported.”

Now go to the Security tab, and you will need to grant a workstation with “Enroll” permissions if one doesn’t already. Then hit OK.

Now on the Certificate Authority, you will need to launch certsrv.msc and browse to the Certificate Templates folder.
If the new template you just created is not listed, follow the next steps. Otherwise skip this step.

Right click the Certificate Template folder, New -> Certificate Template to Issue

Select the template from the list and click OK.

From the workstation you granted Enroll permissions, you will need to launch MMC then add the Certificates snap-in.

Select the Computer account.

Local computer.

Expand Certificates Personal Certificates.
Right-click on Certificates, then All Tasks Request New Certificate…

Keep the default Active Directory Enrollment Policy and click Next.

Select the template created above, click the drop-down next to Details and then hit Properties.

Data that’s needed: Subject Name needs Common name. Not sure what else is absolutely required, so I added Country, Locality, and State
Under Alternative name, I added 3 DNS: edgerouter, edgerouter.domain.local, 192.168.1.1
Then IPv4: 192.168.1.1

Now go to the Private Key tab, expand Key options, make sure “Make private key exportable” is selected, then hit OK.

Then hit Enroll.

Depending on CA settings, the certificate should now be installed in this computer’s certificate store.  Though it is possible you will need to approve the pending request from the Certificate Authority.

You should also be able to export the certificate with the private key.
Right-click on the certificate, All Tasks Export.

Select “Yes, export the private key”

Keep default selections; PFX, include all certificates (might not be necessary), certificate privacy, and hit next.

Check the password box and secure the certificate with a password, then hit Next.

Provide a name and location to export the certificate to, then hit Finish.

Now we will need to convert this PFX in to a PEM file, as the EdgeRouter requires a PEM.

The PFX will need to be copied on to the EdgeRouter using WinSCP or the like. I currently use MobaXterm for SSH, which has a built-in SFTP that connects when SSH does.
I copied the file to /config/auth
Then we need to convert using openssl with the following command:

openssl pkcs12 -in /config/auth/edgerouter_local.pfx -out /config/auth/edgerouter_local.pem -nodes

It will prompt for the password, and if successful, should then report:
MAC verified OK
Conversion success

Doing the above, since the PFX contained the whole certificate chain, you shouldn’t need to add the CA certificate, but I did anyway.
Export the CA certificate in Base-64 encoded x.509.
Copy it to the same location as the router certificate.
Enter configure mode, and use these commands to configure the lighthttpd to use the new certificates (change file names to match yours, of course):

set service gui cert-file /config/auth/edgerouter_local.pem
set service gui ca-file /config/auth/ca_base64.cer

Nothing will happen until you:

commit

At which point it will restart the lighthttpd.

If lighthttpd errors out when trying to restart, something is wrong with the certificate.
The easiest way to resolve, is:

delete service gui cert-file /config/auth/edgerouter_local.pem
delete service gui ca-file /config/auth/ca_base64.cer
commit

Lighthttpd will restart again, and web interface should be functioning again as that reverts back to the default self-signed certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *