Skip to content

Instantly share code, notes, and snippets.

@davidbalbert

davidbalbert/gist:6815258

Last active April 27, 2025 02:06
Show Gist options
  • Save davidbalbert/6815258 to your computer and use it in GitHub Desktop.
Save davidbalbert/6815258 to your computer and use it in GitHub Desktop.
Download ZIP
How to install custom SSL certificates on an ASUS RT-N66U running asuswrt-merlin
Raw
gistfile1.txt
###########################################
# IMPORTANT NOTE:
#
# As of asuswrt-merlin 380.67 Beta, you
# can now configure SSL certificates from
# the Webui, making these instructions
# unnecessary.
###########################################
# First, enable SSH in the Administration->System tab.
# Then log in to the device.
# Verify that https_crt_save is off
admin@RT-N66U:/tmp/home/root# nvram get https_crt_save
0
# Enable https_crt_save and verify that it was set correctly
admin@RT-N66U:/tmp/home/root# nvram set https_crt_save=1
admin@RT-N66U:/tmp/home/root# nvram get https_crt_save
1
# Write your custom key and certificate to the ephemeral file system.
# Note that these files will not be preserved on restart.
admin@RT-N66U:/tmp/home/root# cat >/etc/key.pem
# paste in key
admin@RT-N66U:/tmp/home/root# cat >/etc/cert.pem
# paste in cert
# Verify https_crt_file is empty
admin@RT-N66U:/tmp/home/root# nvram get https_crt_file
admin@RT-N66U:/tmp/home/root#
# Restart httpd. When httpd starts up with https_crt_save enabled, it does the
# following: If /etc/cert.pem and /etc/key.pem exist, it tars them together and
# saves them in https_crt_file. If they do not exist (this would be the case
# on reboot) and https_crt_file exists, httpd will extract the contents of
# https_crt_file. You can see how this works in the start_ssl function here:
# https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/httpd/httpd.c
admin@RT-N66U:/tmp/home/root# service restart_httpd
# Ensure https_crt_file is now full
admin@RT-N66U:/tmp/home/root# nvram get https_crt_file
# ...snip...
# Reboot AP to make sure cert is put back on boot
admin@RT-N66U:/tmp/home/root# reboot
@cristit
Copy link

cristit commented Sep 21, 2024
edited
Loading

Yep, that was the missing piece of the puzzle.

Extracting the existing /jffs/cert.tgz into a temp subdir, overwriting etc/key.pem and etc/cert.pem and recreating /jffs/cert.tgz then running nvram set https_crt_save=1 and service restart_httpd seems to do the trick.

Finally !! Thanks for your help !

I tryed exactly this and checked the md5 sum:
Before copy cert.tgz to /jffs/cert.tgz md5 was: ef7ba5b1ec34074a56c1349653860d82
after copy: 899f0ec767378c8e5a84079d4e6315d3 /jffs/cert.tgz
then I ran following commands:

nvram set https_crt_save=1
service restart_httpd

after last command, the md5 was ef7ba5b1ec34074a56c1349653860d82 (as initial).
I'm using: 3.0.0.4.388_24328-g1e6e634
any idea?

@janedenone
Copy link

after last command, the md5 was ef7ba5b1ec34074a56c1349653860d82 (as initial). I'm using: 3.0.0.4.388_24328-g1e6e634 any idea?

Same here. I am happy for everyone who managed to upload and activate their own certificate, but lost hope for myself.

@andrewtcrooks
Copy link

andrewtcrooks commented Apr 27, 2025
edited
Loading

I am using firmware 3004.388.9 and I'm having the same issue.

My sys log says this after i uploaded my own certificates:

  Apr 26 18:58:45 httpd: Can't get basic constrain from /jffs/.cert/cert.pem
  Apr 26 18:58:45 httpd: Delete uploaded certificate
  Apr 26 18:58:48 admin: Waiting 5 seconds for VPN...

and ChatGPT says this:

  this exact error:
  
  httpd: Can't get basic constrain from /jffs/.cert/cert.pem
  httpd: Delete uploaded certificate

  means:
  your uploaded SSL certificate is being rejected by the Asuswrt-Merlin firmware because it doesn’t contain a required X.509 extension called the Basic Constraints field.
  


  Specifically, Merlin expects certificates to include:
  
  ✅ X509v3 Basic Constraints
  
  ✅ X509v3 Subject Key Identifier
  
  ✅ X509v3 Authority Key Identifier
  
  If these aren't present exactly right, httpd (the web interface server) auto-deletes your uploaded cert.
  
  ✍ Why this happens:
  Since 2024 and even stronger with firmware builds 3004.388.6 → 3004.388.9,
  Merlin strictly enforces proper X.509 standards.
  They're trying to block bad SSL setups that could crash or expose the router.
  
  Old simple OpenSSL certs (without these extensions) get rejected now.
  
  🛠 How you fix it:
  You need to regenerate your certs with an openssl.cnf that includes:
  
  bash
  Copy
  Edit
  basicConstraints = CA:FALSE
  subjectKeyIdentifier = hash
  authorityKeyIdentifier = keyid,issuer
  ✅ This will make the router happy.
  ✅ It will keep your Root CA as is, no need to redo that.
  ✅ Only the server certs (e.g., for rt.datanovaconsulting.com) need updating.

I hope this clears things up for everyone concerning their custom certificates issues!!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment