zyxel N4100 gateway - Problems with SSL certificate on welcome page (google chrome)

Zyxel_Cooldia

Hi @Maze,
You rock!  Thanks for sharing the information with us.
Following your procedure, it did the trick.

Jaume

Hi @Maze,
I await your explanation in pdf and I thank you for your effort in finding and sharing a solution

TST

Hello @Maze

I also await for the explanation as it didn't work out for me. The certificate is indeed registered (with 192.168.0.1 for example) but after that I didn't find the way to "disable" the certificate. My only options in Advanced>System are to enable the original one or the one I just made (Customer Certificate). With Firefox I can see the certificate is mine and add an exception but with Chrome it still doesn't want to enable the access.

Thanks.

Jaume

Hi @Maze,
I think we are many who have this problem and ZYXEL would have to find a quick and easy solution for all.

Miquel

Thanks @Maze, you save my live!
@TST to disable certificate Advanced->Authentication->SSL Login Disable
I've used 10.0.0.1 in the certificate creation process.

Maze

Hello @Miquel, I think is an excellent solution  

You already answer to @TST, that is how you disable the SSL certificate

divebear

Hi @all,

that zyxel will present us a new firmware without this error - I don't believe in that.

I opened a support- ticket for exact this problem and recieved a translated version of Maze's Post.

Actually they are collecting the cases and waiting for a patch from the engineering...

The bad thing is that I cannot create a SSL certificate how Maze described it.

I tried it with OpenSSL (version 1.1.0h) on my Windows 7 64Bit- PC and with a Debian Linux- server (OpenMediaVault 4.x) but when I entered the second command I was not asked for an IP-address in the process of creating the certificate.

I also tried another Blog-Entry "How to make a OpenSSL- certificate on Windows" (in German Language: https://www.andysblog.de/windows-mit-openssl-ein-selbstsigniertes-zertifikat-erstellen) - the commands are nearly the same but also I wasn't asked for an IP-address. Questions for RegionCode, City, Company, eMail-address, etc. - but no question for an IP-address...

Does anyone know a solution for this problem?

percoco

@divebear I think you should put the ip address in "Common Name" filed, when you generate your certificate.
@all Anyone knows if I would have the same issue with a new product like UAG4100 or UAG5100? Thanks for answer.

lalaland

I follow the instruction, it works fine.

Hope it is useful to everyone.

Prerequisites
Linux OS with openssl tool installed
-sudo apt-get install openssl
-sudo apt-get install libssl-dev
Certificate generate procedure
1. Generate private key
   openssl genrsa -des3 -out private.key 2048

  

   Note. Do not forget pass phase for private key
2. Generate CA request file for enrollment
    openssl req -new -key private.key -out CertificateReq.csr

    
    Fill out these fields as prompted, here is the example,
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   Country Name (2 letter code) [AU]:
   State or Province Name (full name) [Some-State]:
   Locality Name (eg, city) []:
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:
   Organizational Unit Name (eg, section) []:
   Common Name (e.g. server FQDN or YOUR name) []:6.6.6.6  <= There is no need to configure same as device interface LAN IP
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3.CA Self-sign the certificate with private key
   openssl x509 -req -days 1095 -in CertificateReq.csr -signkey private.key -out Certificate.crt
  
Import certificate to N4100
1.  Copy Certificate.crt and private.key to local PC
2.  Go to “SYSTEM TOOLS > SSL CERTIFICATE”,
Password = Pass phase
Certificate File = Certificate.crt
Private Key File = private.key
 
After certificate import successfully, it will show message as below.

Jaume

It's not easy but you can do it. Thanks @Maze and @lalaland.