I was trying setup an RDP gateway through a Ubiquiti EdgeRouter today and ended up missing a big step that sent me down the path of updating the SSL certificate on an EdgeRouter. Not being one to read directions, I originally setup up the port forwarding on the EdgeRouter to only forward the RDP port 3389 to the RDP gateway server. Which resulted in RDP gateway connection attempts terminating on the EdgeRouter with a certificate error for the EdgeRouters default cert not being correct. I figured the EdgeRouter was doing SSL offloading or something causing the error. I have always wanted to replace the certificate on the EdgeRouter and used this as an excuse to replace it. Sadly EdgeRouter is lacking a GUI interface to upload or modify the SSL certificate. Which means you have to do it via an SSH connection to the command line.
Creating the PEM file
Before you can add the certificate to the router you need to create a server.pem file to house the certificate. Steve Jenkins provided most of the hints for the process – here , Thanks Steve. What Steve provides are the steps to create a cert request on the EdgeRouter and complete it on the EdgeRouter. Which was a good reference but not what I wanted to do. I already had a wildcard certificate installed on Windows Server I wanted to us. More sad face, Windows Exports as .pfx / pkcs12 file, which is not a pem file. More research later, I had to use OpenSSL to convert the PFX to a PEM; which looks like the following
- Download and install OPENSSL – http://slproweb.com/products/Win32OpenSSL.html
- Windows KEY + R (start run) MMC – to launch the cert console MMC.
- Export the Certificate and private key and certificate chain you want on the EdgeRouter. I created a file called PD.pfx
- Open a command window, browse to your OpenSSL install and run the following where pd.pfx is your file name and server.pem is the output file name :
openssl pkcs12 -in pd.pfx -out server.pem -nodes
Neat, you now have a pem file filled with all kinds of characters, basically an encoded certificate file. Below is what my file looked like with some random bits drawn over to protect the innocent.
Upload the File to EdgeRouter
There are many ways to place a file on an EdgeRouter, I chose to use Putty, as follows:
- Open a command window and browser to your putty folder.
- Run the following command to upload the file from the correct source path where admin@ is your login name, and 10.204.102.1 is your router IP address
pscp c:/servernew.pem firstname.lastname@example.org:/etc/lighttpd
- Login to EdgeRouter with putty, sudo -i to admin, move current server.pem file to some other name to save it. Then move your new file to server.pem to active it with the following commands:
mv server.pm server.pm.old
mv servernew.pm server.pm
- You can run cat server.pm to view the file contents and confirm. Once you’re happy, reboot the EdgeRouter try to login.