Trouble importing router certificate for HTTPS
I would like to use HTTPS to access my router's web interface without having to bypass the "Warning: Potential Security Risk Ahead" page.
Following my router's instructions I exported the certificate. I then accessed the Privacy & Security settings in Preferences, and under View Certificates I imported the router's certificate.
When opening the HTTPS web interface Firefox reports SEC_ERROR_INADEQUATE_KEY_USAGE.
Izmjenjeno
Izabrano rješenje
Joe Buckner said
My preferences are set to permanent private browsing. With this preference it seems Firefox will only create a temporary exception. ... I am not technically proficient to know if this is a design bug or a security feature.
Someone was very thorough in figuring out the unexpected locations on disk that URLs you visited during recent sessions might be discovered. ;-)
Final question. Is this solution to my problem (accessing my router's web interface without the warning message) safer than simply the default HTTP access given that Firefox does not accept the certificate?
There are two aspects:
(1) Verifying that the server is the one it says it is and not an impostor. This part fails when the certificate chain cannot be verified.
(2) Encrypting your session. This part is still useful if, for example, you are entering a password or other sensitive credentials. Using HTTPS prevents someone sniffing on the network from reading that.
Pročitaj ovaj odgovor u kontekstu 👍 0Svi odgovori (17)
This error could indicate that the router has a self-signed certificate, but the certificate's listed uses do not include being used to sign certificates.
Can you describe what you exported and where you imported it to?
Perhaps you could also link to the article with the instructions.
See also:
- Bug 1590217 - FF presents SSL Error: SEC_ERROR_INADEQUATE_KEY_USAGE
jscher2000 said
This error could indicate that the router has a self-signed certificate, but the certificate's listed uses do not include being used to sign certificates. Can you describe what you exported and where you imported it to? Perhaps you could also link to the article with the instructions.
I followed these instructions from ASUS. They are, however, written for Windows 10 and Google Chrome. So the part I followed was:
How to download certification from ASUSWRT and update to your Browser:
Step 1: Go to Administration -> System tab.
Authentication Method : Select HTTPS, and click Apply to save.
Step 2: Download certificate: Click Export button, then you will get a file named cert.tar.
Step 3: Unzip cert file.
To import the file I opened Firefox's Preferences -> Privacy & Security -> Certificates -> View Certificates -> Authorities -> Import.
cor-el said
See also:
- Bug 1590217 - FF presents SSL Error: SEC_ERROR_INADEQUATE_KEY_USAGE
I am not technically knowledgeable to understand most of this bug report.
I want to securely access my router's web interface via HTTPS. To do so I need to export a certificate from the router and import it to Firefox. Is my inability to do this merely because of the bug in question?
To import the file I opened Firefox's Preferences -> Privacy & Security -> Certificates -> View Certificates -> Authorities -> Import.
Try removing the certificate from the Authorities list -- it does not seem to be valid for signing certificates. Instead, try importing it to the Servers list in that same Certificate Manager dialog.
Does that work?
Note: the result would be similar to what happens if you do not import manually, but instead you go to the page and it says "Warning: Potential Security Risk Ahead" and you click the Advanced button and create an exception using the "Accept the Risk and Continue" button.
For some reason I am having trouble quoting and reply to jscher2000. Here is my reply:
The instructions I followed were from the ASUS website, but for Windows 10 and Google Chrome. So I only followed:
Step 1: Go to Administration -> System tab.
Authentication Method : Select HTTPS, and click Apply to save.
Step 2: Download certificate: Click Export button, then you will get a file named cert.tar.
Step 3: Unzip cert file (cert.crt)
To import the certificate into Firefox, I open up Preferences -> Privacy & Security -> Certificates -> View Certificates -> Authorities -> Import.
Hmm, where did the Import button go? I guess try adding an exception through the standard error page (the one you get without importing anything). Does that work?
I completely removed Firefox and all configuration files. After reinstalling Firefox and without importing the certificate this is what happens:
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
There is no option to Add Exception on this page.
After importing the certificate:
Error code: MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
Further details of the error show: A certificate with a basic constraints extension with cA:TRUE is being used as an end-entity certificate.
I am not sure how to "Re-generate the end-entity certificate without the basic constraints extension" as suggested on the Mozilla Wiki.
Finally, in the Certification Manager I added an exception in the Servers tab. But this is only a temporary exception and I am not able to click Permanently store this exception.
Joe Buckner said
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT There is no option to Add Exception on this page.
I can't test your device, but on the test page at https://self-signed.badssl.com/ , you usually can add an exception using this method:
click the Advanced button > click the Accept the Risk and Continue button
That creates a permanent exception by default. Perhaps there is some additional issue with your certificate that blocks that??
That only creates a temporary exception for me. My guess is my operating system, Debian, makes some changes to the Firefox package.
Joe Buckner said
That only creates a temporary exception for me. My guess is my operating system, Debian, makes some changes to the Firefox package.
You could take a look at this preference:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
(2) In the search box in the page, type or paste certerr and pause while the list is filtered
(3) If the security.certerrors.permanentOverride preference has a value of false, double-click it to switch the value to true
The security.certerrors.permanentOverride preference shows a value of true.
You can try to set security.enterprise_roots.enabled = true on the about:config page.
You can open the about:config page via the location/address bar. You can accept the warning and click "I accept the risk!" to continue.
cor-el said
You can try to set security.enterprise_roots.enabled = true on the about:config page. You can open the about:config page via the location/address bar. You can accept the warning and click "I accept the risk!" to continue.
Still produces the same error.
jscher2000 said
Joe Buckner said
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT There is no option to Add Exception on this page.I can't test your device, but on the test page at https://self-signed.badssl.com/ , you usually can add an exception using this method:
click the Advanced button > click the Accept the Risk and Continue button
That creates a permanent exception by default. Perhaps there is some additional issue with your certificate that blocks that??
I found the issue with this solution. My preferences are set to permanent private browsing. With this preference it seems Firefox will only create a temporary exception.
So I set browsing preferences to default, created a permanent exception and then changed back to permanent private browsing. The exception remains permanent.
I am not technically proficient to know if this is a design bug or a security feature.
Final question. Is this solution to my problem (accessing my router's web interface without the warning message) safer than simply the default HTTP access given that Firefox does not accept the certificate?
Yes, when you are in PB mode then you can only set a temporary exception and not a permanent exception. I remember that I had thought about posting this, but I had forgotten or otherwise had chosen not to mention this.
Odabrano rješenje
Joe Buckner said
My preferences are set to permanent private browsing. With this preference it seems Firefox will only create a temporary exception. ... I am not technically proficient to know if this is a design bug or a security feature.
Someone was very thorough in figuring out the unexpected locations on disk that URLs you visited during recent sessions might be discovered. ;-)
Final question. Is this solution to my problem (accessing my router's web interface without the warning message) safer than simply the default HTTP access given that Firefox does not accept the certificate?
There are two aspects:
(1) Verifying that the server is the one it says it is and not an impostor. This part fails when the certificate chain cannot be verified.
(2) Encrypting your session. This part is still useful if, for example, you are entering a password or other sensitive credentials. Using HTTPS prevents someone sniffing on the network from reading that.