Use a Unique Self-Signed Certificate on the Router

Vigor Router allows the administrator to create and sign a custom certificate for SSL VPN and HTTPS connections. Due to security concerns, it is strongly recommended to have a unique private key on each device for self-signed SSL. This article shows how to generate a customized self-signed certificate then replace the default one on Vigor Router

Vigor Router allows the administrator to create and sign a custom certificate for SSL VPN and HTTPS connections. Due to security concerns, it is strongly recommended to have a unique private key on each device for self-signed SSL. This article shows how to generate a customized self-signed certificate then replace the default one on Vigor Router

Create Root CA
  1. Make sure the router's time settings are correct. We strongly recommend using the time settings that match the client side.
  2. Go to Certificate Management >> Trusted CA Certificate, and click Create Root CA.
  3. Enter the identity of your organization in the subjects of Root CA, like the example below, and click Generate.
  4. The Root CA will be shown with status "OK". (NOTE: A router can only have one Root CA. To create a new Root CA, you’ll have to delete the old one first.)
Sign a Local Certificate with Root CA
  1. Go to Certificate Management >> Local Certificate, and generate a certificate request.
  2. Again, enter the identity of your organization for subjects, and click Generate.
  3. There will be a new local certificate request on the list with status Requesting. Click Sign to sign the local certificate.
  4. Set the date of Validity, and click Sign.
  5. The local certificate status will change to "OK".
Replace the Default Certificate
  1. Go to Certificate Management >> Local Services List, and select the new certificate created in step 6 for Default Certificate.
  2. From the browser, we should see the certificate has changed to the one we set. Now the router is using a customized self-signed certificate.
Import Root CA on the PC

If the VPN Client requires server certificate authentication, please remember to import the router's Root CA on the PC.

  1. Go to Certificate Management >> Trusted CA Certificate. Export the certificate.
  2. Open this certificate and install it on the PC.

1. Check System Time

Ensure the router's system time is accurate by navigating to System Maintenance / Device Settings.

2. Create a Root CA

  • Navigate to Configuration / Certificates / Trusted CA and click Create.
  • Enter the identity details of your organization in the Root CA fields (e.g., Organization Name, Location, etc.), and click Apply.
  • Wait a few seconds until the Root CA is created successfully.
  • 3. Generate a Local Certificate

  • Navigate to Configuration / Certificates / Local Certificates and click +Add.
  • Provide a Certificate Name.
  • Select Generate CSR as the method.
  • Fill in the certificate details.
  • Click Apply.
  • Wait a few seconds for the local certificate request to be generated. It will appear in the Requesting state.
  • 4. Sign the Certificate

  • Click Sign to sign the certificate request using the previously created Root CA.
  • Select the desired Validity Period for the certificate and click Apply.
  • 5. Verify Certificate Status

  • Wait a few seconds. Once the Status changes to Valid, the local certificate is successfully generated.
  • 6. Use the Self-Signed Certificate

  • The self-signed certificate can now be used for the router’s HTTPS, TR-069, or IPsec VPN services.
  • 7. Export the Router's Root CA then import to the client computer.

    7-1. Export the Router's Root CA

  • Navigate to Configuration > Certificates > Trusted CA on the router
  • Click Export to save the Root CA file to your local computer
  • 7-2.Import the Root CA to the Client Computer

  • On the client computer, open the Certificate Manager:
  • For Windows: Press Win + R, type certmgr.msc, and press Enter.
  • For macOS: Open Keychain Access from the Applications > Utilities folder.
  • Import the Root CA:
  • Windows:

  • In the Certificate Manager, navigate to Trusted Root Certification Authorities > Certificates.
  • Right-click in the Certificates list and choose All Tasks > Import.
  • Follow the wizard to select and import the Root CA file.
  • macOS:

  • Drag the exported Root CA file into the System keychain.
  • Double-click the certificate, expand the Trust section, and set When using this certificate to Always Trust.
  • 8. Verify Trust

  • Ensure the imported Root CA is listed in the Trusted Root Certification Authorities (Windows) or System Keychain (macOS).
  • The client computer will now trust the router's local certificate for secure https connections or can create IKEv2 EAP VPN by using the self-signed certificate.
  • Published On: 2015-12-07 

    Was this helpful?