zyxel N4100 gateway - Problems with SSL certificate on welcome page (google chrome)

24

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    edited June 2018
    Hi @Maze,
    You rock!  ;) Thanks for sharing the information with us.
    Following your procedure, it did the trick.
  • Jaume
    Jaume Posts: 9  Freshman Member
    First Comment Friend Collector
    Hi @Maze,
    I await your explanation in pdf and I thank you for your effort in finding and sharing a solution
  • TST
    TST Posts: 1  Freshman Member
    First Comment Friend Collector First Anniversary
    Hello @Maze
    I also await for the explanation as it didn't work out for me. The certificate is indeed registered (with 192.168.0.1 for example) but after that I didn't find the way to "disable" the certificate. My only options in Advanced>System are to enable the original one or the one I just made (Customer Certificate). With Firefox I can see the certificate is mine and add an exception but with Chrome it still doesn't want to enable the access.
    Thanks.

  • Jaume
    Jaume Posts: 9  Freshman Member
    First Comment Friend Collector
    Hi @Maze,
    I think we are many who have this problem and ZYXEL would have to find a quick and easy solution for all.
  • Miquel
    Miquel Posts: 1  Freshman Member
    First Comment Friend Collector
    Thanks @Maze, you save my live!
    @TST to disable certificate Advanced->Authentication->SSL Login Disable
    I've used 10.0.0.1 in the certificate creation process.
  • Maze
    Maze Posts: 6  Freshman Member
    First Comment Friend Collector
    Hello @Miquel, I think is an excellent solution :) 

    You already answer to @TST, that is how you disable the SSL certificate

    :)
  • divebear
    divebear Posts: 1  Freshman Member
    First Comment
    edited June 2018
    Hi @all,

    that zyxel will present us a new firmware without this error - I don't believe in that.
    I opened a support- ticket for exact this problem and recieved a translated version of Maze's Post.
    Actually they are collecting the cases and waiting for a patch from the engineering...

    The bad thing is that I cannot create a SSL certificate how Maze described it.
    I tried it with OpenSSL (version 1.1.0h) on my Windows 7 64Bit- PC and with a Debian Linux- server (OpenMediaVault 4.x) but when I entered the second command I was not asked for an IP-address in the process of creating the certificate.

    I also tried another Blog-Entry "How to make a OpenSSL- certificate on Windows" (in German Language: https://www.andysblog.de/windows-mit-openssl-ein-selbstsigniertes-zertifikat-erstellen) - the commands are nearly the same but also I wasn't asked for an IP-address. Questions for RegionCode, City, Company, eMail-address, etc. - but no question for an IP-address...

    Does anyone know a solution for this problem?




  • percoco
    percoco Posts: 4  Freshman Member
    First Comment Friend Collector Fifth Anniversary
    @divebear I think you should put the ip address in "Common Name" filed, when you generate your certificate.
    @all Anyone knows if I would have the same issue with a new product like UAG4100 or UAG5100? Thanks for answer.
  • lalaland
    lalaland Posts: 90  Ally Member
    First Answer First Comment Friend Collector Sixth Anniversary
    I follow the instruction, it works fine.
    Hope it is useful to everyone. =)

    Prerequisites
    Linux OS with openssl tool installed
    -sudo apt-get install openssl
    -sudo apt-get install libssl-dev
    Certificate generate procedure
    1. Generate private key
       openssl genrsa -des3 -out private.key 2048
      
       Note. Do not forget pass phase for private key
    2. Generate CA request file for enrollment
        openssl req -new -key private.key -out CertificateReq.csr
        
        Fill out these fields as prompted, here is the example,
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       Country Name (2 letter code) [AU]:
       State or Province Name (full name) [Some-State]:
       Locality Name (eg, city) []:
       Organization Name (eg, company) [Internet Widgits Pty Ltd]:
       Organizational Unit Name (eg, section) []:
       Common Name (e.g. server FQDN or YOUR name) []:6.6.6.6  <= There is no need to configure same as device interface LAN IP
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    3.CA Self-sign the certificate with private key
       openssl x509 -req -days 1095 -in CertificateReq.csr -signkey private.key -out Certificate.crt
      
    Import certificate to N4100
    1.  Copy Certificate.crt and private.key to local PC
    2.  Go to “SYSTEM TOOLS > SSL CERTIFICATE”,
    Password = Pass phase
    Certificate File = Certificate.crt
    Private Key File = private.key
     
    After certificate import successfully, it will show message as below.




  • Jaume
    Jaume Posts: 9  Freshman Member
    First Comment Friend Collector
    It's not easy but you can do it. Thanks @Maze and @lalaland.

Security Highlight