Member_2_5184886
asked on
Correct application of CA signed SSL certificate into Draytek Router
Hi all - calling all Draytek experts,
I am trying to configure a Draytek Router with an SSL certificate for SSL VPN, Wifi Radius authentication and remote access. I can generate a CSR on a different machine, have it signed by a CA, import it back to the same machine and then export it including the key, to then import to the Draytek as a PFX, no problem.
All appears to be working fine.
However, when testing the SSL security of the site/certificate at SSL Labs it says the chain is broken (most of the rest of the report is fine). Is this something I can prevent by a different approach? Am I doing something obviously wrong?
I have avoided generating the CSR from the Draytek, as, and correct me if I am wrong, the import into the client machines for Wifi Auth required the full Pfx. This approach did not work, but the former above does i.e. I can transport the Key file in the Pfx.
So does anyone have a better idea / route to achieve the best solution to what should be fairly simple, or should I not even worry about the broken change analysis when the SSL is working on browsers, SSL VPN and Wifi Radius.
Many, many thanks in advance to anyone that might be able to point me in the correct direction.
Dave.
I am trying to configure a Draytek Router with an SSL certificate for SSL VPN, Wifi Radius authentication and remote access. I can generate a CSR on a different machine, have it signed by a CA, import it back to the same machine and then export it including the key, to then import to the Draytek as a PFX, no problem.
All appears to be working fine.
However, when testing the SSL security of the site/certificate at SSL Labs it says the chain is broken (most of the rest of the report is fine). Is this something I can prevent by a different approach? Am I doing something obviously wrong?
I have avoided generating the CSR from the Draytek, as, and correct me if I am wrong, the import into the client machines for Wifi Auth required the full Pfx. This approach did not work, but the former above does i.e. I can transport the Key file in the Pfx.
So does anyone have a better idea / route to achieve the best solution to what should be fairly simple, or should I not even worry about the broken change analysis when the SSL is working on browsers, SSL VPN and Wifi Radius.
Many, many thanks in advance to anyone that might be able to point me in the correct direction.
Dave.
ASKER
Thanks IT Guy, and thank you for the link.
That is the route that I first tried, and it does indeed direct to produce a SSL certificate. The problem with that is it does not work (or I cannot make it work) with Wifi Authentication or SSL VPN certificate checking, as you cannot export the key with the certificate i.e. the key never leaves the Draytek and thus you cannot import it into the required devices.
Or that is at least how I understand it. When producing a Certificate on a third machine, I can import a Pfx into the required devices and then Wifi Authentication and SSL VPN work.
Am I approaching the SSL in the correct manner? Everything appears to be working. Just when checking the SSL via SSL Labs, it points, as what 'appears' to be a minor fault, that is:
1 Sent by server 'my.domain.com' for example
2 Extra download Go Daddy Secure Certificate Authority - G2
3 In trust store Go Daddy Root Certificate Authority - G2 Self-signed
(I have removed the thumbprints and SHA details)
Perhaps I am getting too worried about something that isn't really a problem, or is it?
Or perhaps the question should be, should the Draytek also be sending the second Certificate in the list (above), and if so, how is this achieved? Again is this a problem?
Many thanks in advance for any assistance.
Dave.
That is the route that I first tried, and it does indeed direct to produce a SSL certificate. The problem with that is it does not work (or I cannot make it work) with Wifi Authentication or SSL VPN certificate checking, as you cannot export the key with the certificate i.e. the key never leaves the Draytek and thus you cannot import it into the required devices.
Or that is at least how I understand it. When producing a Certificate on a third machine, I can import a Pfx into the required devices and then Wifi Authentication and SSL VPN work.
Am I approaching the SSL in the correct manner? Everything appears to be working. Just when checking the SSL via SSL Labs, it points, as what 'appears' to be a minor fault, that is:
1 Sent by server 'my.domain.com' for example
2 Extra download Go Daddy Secure Certificate Authority - G2
3 In trust store Go Daddy Root Certificate Authority - G2 Self-signed
(I have removed the thumbprints and SHA details)
Perhaps I am getting too worried about something that isn't really a problem, or is it?
Or perhaps the question should be, should the Draytek also be sending the second Certificate in the list (above), and if so, how is this achieved? Again is this a problem?
Many thanks in advance for any assistance.
Dave.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
https://www.draytek.co.uk/support/guides/kb-local-certificate-management