Hi
This script will allow you to generate/install self-signed certificates without HTTPS errors in browser.
Important information:
- You must execute this script on client device, not directly on router
- You should not use windows for this script as in my testing it failed
- It can be run on Termux, but it is strongly recommended to use it in native Linux
Manual generation
#!/bin/bash
create_archives() {
zip to_device.zip ca.crt
zip to_server.zip server.crt server.key
if [ -n "$PASSPHRASE" ]; then
echo "$PASSPHRASE" > passphrase.txt
zip to_server.zip passphrase.txt
fi
}
display_info() {
echo "Additional Information:"
echo "1. Import 'ca.crt' from 'to_device.zip' to your device to trust the CA."
echo "2. Use 'server.crt' and 'server.key' from 'to_server.zip' for server configuration."
echo "3. If a passphrase was set, use 'passphrase.txt' from 'to_server.zip' for the server key."
}
while true; do
read -p "Do you want to set up passphrase protection (y/n)? " passphrase_protect
if [ "$passphrase_protect" = "y" ]; then
read -s -p "Enter passphrase: " PASSPHRASE
echo
read -s -p "Confirm passphrase: " PASSPHRASE_CONFIRM
echo
if [ "$PASSPHRASE" = "$PASSPHRASE_CONFIRM" ]; then
openssl genrsa -aes256 -passout pass:"$PASSPHRASE" -out ca.key 2048
openssl genrsa -aes256 -passout pass:"$PASSPHRASE" -out server.key 2048
break
else
echo "Passphrases do not match. Try again."
fi
elif [ "$passphrase_protect" = "n" ]; then
openssl genrsa -out ca.key 2048
openssl genrsa -out server.key 2048
break
else
echo "Invalid option. Try again."
fi
done
while true; do
read -p "Set certificate expiry days (default (d) or custom (c))? " expiry_option
if [ "$expiry_option" = "d" ]; then
CERT_VALIDITY=3650
break
elif [ "$expiry_option" = "c" ]; then
read -p "Enter custom expiry days: " CERT_VALIDITY
break
else
echo "Invalid option. Try again."
fi
done
openssl req -x509 -new -nodes -key ca.key -sha256 -days $CERT_VALIDITY -out ca.crt
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days $CERT_VALIDITY -sha256
openssl x509 -in server.crt -text -noout
echo "Self-signed certificate created successfully!"
create_archives
while true; do
read -p "Do you want to know additional information (y/n)? " info_option
if [ "$info_option" = "y" ]; then
display_info
break
elif [ "$info_option" = "n" ]; then
break
else
echo "Invalid option. Try again."
fi
done
Automated installation
#!/bin/bash
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
openssl req -new -key ca.key -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256
read -sp "Enter the router's SSH password: " ROUTER_PASSWORD
echo
read -p "Default IP is 192.168.8.1. Press 'd' if you want to use the default IP, or 'c' if you have a custom one." USER_CHOICE
case $USER_CHOICE in
d) ROUTER_IP=192.168.8.1;;
c) read -p "Enter custom IP for the router: " CUSTOM_IP; ROUTER_IP=$CUSTOM_IP;;
*) echo "Invalid option. Exiting..."; exit 1;;
esac
sshpass -p "$ROUTER_PASSWORD" ssh root@$ROUTER_IP "if [ -d /etc/nginx ]; then rm /etc/nginx/nginx.*; fi && mkdir -p /etc/nginx && mv nginx.* /etc/nginx/"
echo "Generated CA certificate located at./ca.crt. Remember to install it on devices."
echo "You should remove CA file from device after installation for your safety (not mandatory, but recommended)"
read -p "If installation with this option did not work, try 'y'. For most cases, not recommended. (y/n)" UTIL_OPTION
if [ "$UTIL_OPTION" == "y" ]; then
sshpass -p "$ROUTER_PASSWORD" ssh root@$ROUTER_IP "nginx-util add_ssl _lan --cert=/etc/nginx/nginx.crt --key=/etc/nginx/nginx.key"
else
echo "Skipping 'nginx-util' step."
fi
echo "Certificates have been installed and configured on the OpenWRT router."
Hope this will help!
Copyright
I allow copying/modifying of this script. I also allow to include it to any guides/manuals/tutorials. But please, don’t forget to post link to this thread.