1. you need to have followed firstlogin before attempting this

See →opkg on its usage.

opkg install mini-httpd

or

opkg install mini-httpd-openssl

or

opkg install mini-httpd-matrixssl

As with Telnet, HTTP will transmit your usernames, passwords, and all data in clear text across the network. This means that anyone on the same subnet on either the client or the server networks could intercept the traffic and steal your credentials. Using packages from Backports, you can install an HTTPS-only Web server.

This guide will show you how to turn on SSL access to your OpenWrt running LuCI. Enabling https access to your router, and disabling http access, will provide greater security. This guide will also show you how to install your certificate in Windows 7, which will get rid of browser errors stating the certificate is not valid.

Note: My build at the time of this article trunk (R27797)

1. Create keys and certs
2. Create mini_httpd.pem
3. Install cert to Windows 7
4. Upload mini_httpd.pem
5. Enable / Start mini_httpd
6. Test
7. Disable http access

Next, get into the router using WinSCP (don't forget to change the protocol) and navigate to /etc Make a backup of mini_httpd.pem and stick it in a secure place, just in case you need to revert back to this original key at some point. What I did was copy the file to my desktop and renamed it to mini_httpd-ORG.pem

Step 1: Using PuTTY to access the router over SSH, we then make our keys using openssl by issuing these commands:

openssl req -nodes -new > cert.csr

This requests the key and certificate creation. -nodes creates a key which will not be encrypted with a DES pass phrase. More info here

If you prefer to have stronger than 128-bit encryption, use this command instead to get 256-bit encryption:

openssl req -nodes -newkey rsa:2048 -new > cert.csr

Step 2: Next enter this stuff based on your own info:

Country Name: US State/Province: CA Locality Name: Los Angeles Organization Name: You may hit enter to leave blank. Organization Unit Name: You may hit enter to leave blank. Common Name: 192.168.1.1 Email Address: You may hit enter to leave blank. Optional company name: You may hit enter to leave blank.

Note that Common Name: is VERY important. Without this entered properly, it will always error out. Make this the IP of the router, and do not suffix it with the cgi-bin/luci.

Step 3: Lastly, issue this command:

openssl x509 -in cert.csr -out cert.pem -req -signkey privkey.pem -days 365

x509 option converts the certificate (.csr) to .pem certificate. It then signs the privkey.pem and makes it valid for 1 year. For more info see this page

Use WinSCP to login and navigate to /root Copy these 2 files to your OS, as you will be manipulating them (I threw mine on my desktop):

cert.pem (copy to OS, then delete)
privkey.pem (copy to OS, then delete)
cert.csr (Just delete)

Open cert.pem with a text editor and copy the contents from the top starting with:

-----BEGIN CERTIFICATE-----

all the way to the end and including the line

-----END CERTIFICATE-----

Open privkey.pem, and right after

-----END RSA PRIVATE KEY-----

Paste onto the line below it, the contents of cert.pem that you copied.

It should look like this:

-----BEGIN PRIVATE KEY-----
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
RANDOM GARBLED ENCRYPTION RANDOM GARBLED ENCRYPTION
-----END CERTIFICATE-----

Save privkey.pem. Then rename it to: mini_httpd.pem

To avoid issues with your browser whining that the SSL connection is not secure, we will install the certificate we made to the OS, so that it knows it is indeed safe. Note: At this point in the guide you won't see the above erros in your browser, as the service is not started. They are to demonstrate what it will whine about after you have the service running, but have not yet installed the certificate to your OS.

To accomplish this, we need to install cert.pem on the computer(s) accessing the WebGUI. On Windows 7 execute:

certmgr.msc

Next, on the left pane click on Trusted Root Certification Authorities, expand it, or double click on Certificates in the right pane. You should now see a bunch of other certificates.

Now, Right-click in the right pane (or click Action in the toolbar) and choose 'All Tasks' then 'Import…' Click on next. Click Browse, in the explorer window that pops up, change the extension (bottom right) from 'X.509 Certificate (*.cer,*.crt) to All Files (*.*) then select cert.pem from your Desktop.

Then click on next. Choose 'Place all certificates in the following store. If 'Trusted Root Certification Authorities' is select already, click next, then Finish. If it is not already selected, click browse and then click on 'Trusted Root Certification Authorities' and click ok. Then click next, and Finish.

Now, it will issue a security warning. It warns you that it cannot validate the certificate is actually from your router IP address. As this is a self-signed certificate, you know it's from you, so click on YES to install the certificate. It will then successfully install to the Trusted Root Certification Authorities. If you do not see it in the list, simply hit right-click in the right pane, and choose 'Refresh'. Ta-da!

Now, before you can access the router by HTTPS, you will need to do a couple more things: giving the router the private key and cert in the form of the mini_httpd.pem, and enabling then starting the service.

Now, we already created mini_httpd.pem above, so let's place it on the router where it belongs. Using WinSCP, login and navigate to /etc. Delete the existingmini_httpd.pem from the router (If you have been following this word for word, then you should already have a backup named mini_httpd-ORG.pem on the desktop or wherever) and copy your created mini_httpd.pem over to /etc.

Once that is completed, you can close WinSCP.

/etc/init.d/mini_httpd enable
/etc/init.d/mini_httpd start

Try opening a browser and navigate to: https://192.168.1.1

If you have trouble, try: Clearing the cookies/cache in your browser. Trying Incognito mode (Chrome) or InPrivate (Internet Explorer) Try navigating to the full url: https://192.168.1.1/cgi-bin/luci

You should get NO error regarding the certificate. :)

/etc/init.d/uhttpd stop
/etc/init.d/uhttpd disable

To test it's down, navigate to your http://192.168.1.1 and it should error out.