Installing a Public SSL Certificate on a Ubiquiti ER-X Router

Project status: complete

Objective: get the web interface of a Ubiquiti ER-X EdgeRouter to use a public certificate, in order to prevent browser warning messages.

This is partly based on this post.

Overview of the procedure:

  1. obtain a Certificate issued by a Trusted CA
    • prepare a CSR (Certificate Signing Request) for the router;
    • send the CSR to your third party SSL certificate supplier;
    • retrieve the signed certificate, AND the CA root certificate, AND any intermediate certificates.
  2. copy the certificate files to the router and configure the router to use them instead of the default;
  3. adjust your DNS settings so that the url you use to access the router matches the certificate.

Obtaining the Certificate

SSH to the router, start a shell, and get root privileges:

$ sh
$ sudo -i

As indicated in this Ubiquiti forum thread, the SSL files must be stored in the /config/ directory to be persistent across firmware updates. We create an ssl subdirectory to keep the files:

$ cd /config/
$ mkdir ssl

Let's start by creating the CSR:

$ cd /config/ssl/
$ openssl req -sha256 -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key

For the CSR, use:

Copy the content of the /config/ssl/server.csr file in the clipboard. When submitting the CSR to the certificate authority, select the Apache/ModSSL format.

Installing the Certificate Files

Create a file containing the server certificate, and paste the content of the certificate:

$ cat > /config/ssl/server.crt

Optionally, create the intermediate certificate file:

$ cat > /config/ssl/intermediate.crt

Then create the PEM file containing both the certificate the private key:

$ cat /config/ssl/server.crt /config/ssl/private/server.key > /config/ssl/server.pem

Now switch back to the admin interface and set the options to use the new certificate:

set service gui ca-file /config/ssl/intermediate.crt
set service gui cert-file /config/ssl/server.pem

DNS Configuration

Make sure a DNS record for the hostname exists.