1/6: Install OpenSSL.

OpenSSL is a powerful tool for managing SSL/TLS certificates and cryptographic keys.

OpenSSL is needed to extract and manipulate the certificates and keys generated during this process. The ASUS AX3000 router requires specific formats that OpenSSL can generate.

1. Download the latest version of OpenSSL for Windows 64-bit here.

2. Install OpenSSL in the default directory: C:\Program Files\OpenSSL-Win64.

3. Ensure the installation adds OpenSSL to your system’s PATH (optional but recommended for command-line access).

2/6: Request a New SSL Certificate.

We need to create a certificate request using Windows Certificate Manager (certlm.msc) and specify details such as the domain name, IP address, and exportable private key.

The certificate request ensures the router will be issued a trusted certificate by the internal CA. This certificate will allow secure HTTPS connections.

1. Open Certificate Manager:

   1. Press Win + R, type certlm.msc and press Enter.

2. Request Certificate:

   1. Navigate to Personal > Certificates.

   2. Right-click an empty area > All Tasks > Request New Certificate.

3. Select Policy.

   1. For Certificate Enrollment Policy, choose Active Directory Enrollment Policy.

   2. Click Next.

4. Choose Template.

   1. Select an appropriate template, such as Web Server.

   2. When prompted for configuration, click the URL/link.

5. Configure Certificate Properties:

   1. Subject Tab:

      1. Change Full DN to Common Name.

      2. Set the Value to router’s hostname (e.g. gateway).

      3. Alternative Names:

         1. Add DNS: (e.g. gateway).

         2. Add DNS: (e.g. gateway.internal.company.com).

         3. Add IP Address (IPv4): (e.g. 10.0.0.1).

   2. General Tab:

      1. Friendly Name: Router (to make it easily identifiable in Certificate Manager).

   3. Private Key Tab:

      1. Ensure Private Key is Exportable (important for later steps).

   4. Click Enroll to generate the certificate.

6. Confirm Success:

   1. Wait for the process to complete and verify that the new certificate appears in Personal > Certificates.

---

3/6: Export the Certificate as PFX.

Now, we need to export the generated certificate and its private key to a PFX file format. The PFX file combines the certificate and private key, which is necessary for importing into the router.

1. Locate the newly issued certificate (e.g. GATEWAY) in Personal > Certificates.

2. Right-click the certificate > All Tasks > Export.

3. Use the Certificate Export Wizard:

   1. Select Yes, export the private key.

   2. Choose PFX (Personal Information Exchange) format.

   3. Set a password to protect the private key during export.

   4. Save the file (e.g. as Router.pfx) on your desktop.

---

4/6: Extract Private Key and Certificate using OpenSSL.

We will use OpenSSL to extract the private key and certificate from the Router.pfx file. These files are required for the router configuration.

The router doesn’t accept PFX files directly. We need to split the files into its components: the private key and the certificate.

privatekey.pem: The private key.

cert.pem: The certificate.

1. Open Command Prompt as Administrator:

   1. Navigate to the OpenSSL directory:

   2.     cd C:\Program Files\OpenSSL-Win64\bin
      

2. Extract the Private Key:

   1. Run:

      1.  openssl pkcs12 -in C:\path_to\Router.pfx -nocerts -out C:\path_to\privatekey.pem -nodes
         

      2. Enter the password set during the .pfx export.

3. Extract the Public Certificate:

   1. Run:

      1.  openssl pkcs12 -in C:\path_to\Router.pfx -clcerts -nokeys -out C:\path_to\cert.pem
         

---

5/6: Upload Certificates to the Router.

Now we need to upload the private key and certificate files to the router to enable secure HTTPS access.

Custom certificates ensure that your router’s HTTPS interface is trusted, removing browser warnings and improving security.

1. Login to the router’s admin interface (e.g. routerlogin.local).

2. Navigate to WAN > DDNS (or similar, depending on your router model).

3. Under HTTPS/SSL Certificate, select Import Your Own Certificate.

4. Upload the files:

   1. Private key: Select privatekey.pem.

   2. SSL Certificate: Select cert.pem.

5. Apply the changes and restart the router if needed.

6/6: Verify HTTPS Access.

Finally, test the router’s new SSL certificate to ensure it’s correctly applied. It’s important to confirm that HTTPS access to the router is secure and trusted.

1. Open a web browser and test:

   1. The router’s hostname (e.g. gateway.internal.company.com:8443).

   2. The router’s IP address (e.g. https://10.0.0.1:8443).

2. Troubleshoot Issues:

   1. If you see a Your clock is behind error, synchronise your PC’s timezone with the certificate server.

   2. If the certificate doesn’t work immediately, toggle the HTTPS/SSL certificate settings (disable, re-enable or restart the router).

   3. You may need to close and re-open your web browser.

---

Conclusion

By following this guide, you’ve successfully issued and installed a custom SSL certificate for your router using AD CS and OpenSSL.

This setup not only secures your router’s admin interface but also builds your understanding of SSL certificate management and encryption.