<
WiFi
Hacking a valid cert into the EAP controller software
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.Hacking a valid cert into the EAP controller software
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.Hacking a valid cert into the EAP controller software
Posts: 38
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2017-03-19
2017-03-20 19:04:10
Posts: 38
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2017-03-19
Hacking a valid cert into the EAP controller software
2017-03-20 19:04:10
Tags:
So let's start by saying I hate invalid certificate errors. I've worn many hats: DevOps, IT Support, Customer Support, Web Designer, and more; each and every one screams "FIX IT" when I see one of these errors. Naturally, when I got my new access points (yes I use my EAP245 for my home), I was dismayed to see the invalid certificate error on the management page.
Well I have my own domain name that I use for my home network devices and have used it to put valid certs on them (a pfSense router, an OMV file server, and a couple other gadgets), and thought to myself, "why can't I have a valid certificate on the EAP controller?"
After many hours of poking around with much trial and error, I successfully managed to get the green padlock indicating a valid certificate!
DISCLAIMER: Proceed at your own risk! This worked for me, but I cannot guarantee that this process will not bork your EAP controller, invalidate your warranty, and/or kick an orphaned puppy. Please, think of the puppies.
PREREQUISITES
[*]A domain name that you control DNS for
[*]A way to run the openssl command (either via a handy Linux/Mac box laying around, or an OpenSSL package for Windows on your controller or a handy Windows box)
[*]Full access to your EAP controller box
[*]Depending on your cert provider, an HTTP host you can use for verification
PREPARING
[*]Create a subdomain for your controller under your desired domain name, e.g. "eap.example.com"
[*]If your cert provider requires HTTP verification (e.g. LetsEncrypt), start by pointing this at an HTTP host you have access to, with a very low TTL
PROCESS
[*]Shut down the EAP Controller software
[*]Make a copy of your current keystore (EAP Controller\keystore\eap.keystore) for safekeeping
[*]Generate a private key and CSR:
openssl req -out MYSITE.csr -new -newkey rsa:4096 -nodes -keyout MYSITE.key
[*]Submit your CSR and get the cert from the CA
[*]If your CA uses HTTP verification, once the process is complete change your DNS entry to point to your EAP controller's IP address
[*]Combine your cert and private key into a PKCS#12 key:
openssl pkcs12 -export -in MYSITE.crt -inkey MYSITE.key -name eap -out MYSITE.p12
it is important that the "name" parameter is "eap"!
[*]use an easy-to-remember password, you'll need it a few steps later (then it will be irrelevant)
[*]Make a copy of your current keystore (EAP Controller\keystore\eap.keystore) for safekeeping (you already did that right?)
[*]Delete the eap.keystore file in EAP Controller\keystore
[*]Import your PKCS#12 key into a new keystore:
keytool -importkeystore -deststorepass tplink -destkeystore eap.keystore -srckeystore MYSITE.p12 -srcstoretype PKCS12
enter the password you specified in step 5 when prompted
[*]Restart the EAP Controller software!
When it starts and loads the page, you should still see a certificate error; this is because it loads to https://127.0.0.1 which is never a valid hostname. If you browse to the hostname you created, e.g. https://eap.example.com:8043/ (don't forget the port number) you should now see the valid certificate!
Well I have my own domain name that I use for my home network devices and have used it to put valid certs on them (a pfSense router, an OMV file server, and a couple other gadgets), and thought to myself, "why can't I have a valid certificate on the EAP controller?"
After many hours of poking around with much trial and error, I successfully managed to get the green padlock indicating a valid certificate!
DISCLAIMER: Proceed at your own risk! This worked for me, but I cannot guarantee that this process will not bork your EAP controller, invalidate your warranty, and/or kick an orphaned puppy. Please, think of the puppies.
PREREQUISITES
[*]A domain name that you control DNS for
[*]A way to run the openssl command (either via a handy Linux/Mac box laying around, or an OpenSSL package for Windows on your controller or a handy Windows box)
[*]Full access to your EAP controller box
[*]Depending on your cert provider, an HTTP host you can use for verification
PREPARING
[*]Create a subdomain for your controller under your desired domain name, e.g. "eap.example.com"
[*]If your cert provider requires HTTP verification (e.g. LetsEncrypt), start by pointing this at an HTTP host you have access to, with a very low TTL
PROCESS
[*]Shut down the EAP Controller software
[*]Make a copy of your current keystore (EAP Controller\keystore\eap.keystore) for safekeeping
[*]Generate a private key and CSR:
openssl req -out MYSITE.csr -new -newkey rsa:4096 -nodes -keyout MYSITE.key
[*]Submit your CSR and get the cert from the CA
[*]If your CA uses HTTP verification, once the process is complete change your DNS entry to point to your EAP controller's IP address
[*]Combine your cert and private key into a PKCS#12 key:
openssl pkcs12 -export -in MYSITE.crt -inkey MYSITE.key -name eap -out MYSITE.p12
it is important that the "name" parameter is "eap"!
[*]use an easy-to-remember password, you'll need it a few steps later (then it will be irrelevant)
[*]Make a copy of your current keystore (EAP Controller\keystore\eap.keystore) for safekeeping (you already did that right?)
[*]Delete the eap.keystore file in EAP Controller\keystore
[*]Import your PKCS#12 key into a new keystore:
keytool -importkeystore -deststorepass tplink -destkeystore eap.keystore -srckeystore MYSITE.p12 -srcstoretype PKCS12
enter the password you specified in step 5 when prompted
[*]Restart the EAP Controller software!
When it starts and loads the page, you should still see a certificate error; this is because it loads to https://127.0.0.1 which is never a valid hostname. If you browse to the hostname you created, e.g. https://eap.example.com:8043/ (don't forget the port number) you should now see the valid certificate!
#1
Options
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Thread Manage
Announcement Manage
16 Reply
Posts: 5
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2018-01-25
Re:Hacking a valid cert into the EAP controller software
2018-01-26 04:47:08
Hi All,
I realise this is an old thread but it is the only one I can find on the topic on replacing the SSL Cert.
I am having the java.security.UnrecoverableKeyException: Cannot recover key error. I have tried importing it using the GUI. This is on an ubuntu based controller.
This is what I have done:
./certbot-auto certonly --standalone --preferred-challenges http -d mydomain.net
openssl pkcs12 -export -inkey /etc/letsencrypt/live/mydomain.net/privkey.pem -in /etc/letsencrypt/live/mydomain.net/cert.pem -certfile /etc/letsencrypt/live/mydomain.net/chain.pem -name eap -out mydomain.p12
delete the existing keystore
keytool -importkeystore -deststorepass tplink -destkeystore /path/to/keystore/eap.keystore -srckeystore mydomain.p12 -srcstoretype PKCS12
tpeap stop
tpeap start
Is there anything obvious. I can't believe nearly a year on this still isn't easy
Thanks
I realise this is an old thread but it is the only one I can find on the topic on replacing the SSL Cert.
I am having the java.security.UnrecoverableKeyException: Cannot recover key error. I have tried importing it using the GUI. This is on an ubuntu based controller.
This is what I have done:
./certbot-auto certonly --standalone --preferred-challenges http -d mydomain.net
openssl pkcs12 -export -inkey /etc/letsencrypt/live/mydomain.net/privkey.pem -in /etc/letsencrypt/live/mydomain.net/cert.pem -certfile /etc/letsencrypt/live/mydomain.net/chain.pem -name eap -out mydomain.p12
delete the existing keystore
keytool -importkeystore -deststorepass tplink -destkeystore /path/to/keystore/eap.keystore -srckeystore mydomain.p12 -srcstoretype PKCS12
tpeap stop
tpeap start
Is there anything obvious. I can't believe nearly a year on this still isn't easy
Thanks
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#12
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 5
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2018-01-25
Re:Hacking a valid cert into the EAP controller software
2018-01-26 05:05:22
OK... for others following this thread. I have just worked it out.
The password you set in step 5, *must* be tplink.
The password you set in step 5, *must* be tplink.
openssl pkcs12 -export -in MYSITE.crt -inkey [I]MYSITE.key -name eap -out [I]MYSITE.p12[/I][/I]
[I][I]it is important that the "name" parameter is "eap"![/I][/I]
[*][I][I]use an easy-to-remember password, you'll need it a few steps later (then it will be irrelevant)[/I][/I]
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#13
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 2
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2020-02-03
Re:Hacking a valid cert into the EAP controller software
2020-02-03 15:44:16 - last edited 2020-02-03 16:21:23
I just successfully used an LE cert on my controller. Here is what I did.
First I created a script that stops the controller, builds a new keystore and then starts the server. You can get the script here:
https://pastebin.com/raw/U1zYQGHe
Then I generate the new cert using acme.sh (https://acme.sh) and reference my script (reloadEAP.sh) similar to this:
./acme.sh --issue --dns dns_cf -d eap.example.com --reloadcmd /root/.acme.sh/reloadEAP.sh
If you want acme.sh to setup a cron job to automatically renew the cert and automatically inject it into the EAP controller just run this command:
./acme.sh --install
Obviously you will need to alter the paths in the script and find the right command line options for generating a cert with acme.sh for your environment. You don't have to use acme.sh, my relaodEAP.sh script could be adapted to work with any cert you want. I'm mostly using the steps I found in this thread only I added the password to the command lines so it can be run without user interaction.
Hope this helps someone.
1
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
1
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#14
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 4334
Helpful: 1039
Solutions: 173
Stories: 3
Registered: 2015-12-05
Re:Hacking a valid cert into the EAP controller software
2020-02-03 16:12:19
See this recipe for an easy way to permanently install an own SSL certificate in Omada Controller:
https://community.tp-link.com/en/business/forum/topic/150083
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#15
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 2
Helpful: 1
Solutions: 0
Stories: 0
Registered: 2020-02-03
Re:Hacking a valid cert into the EAP controller software
2020-02-03 16:19:01
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#16
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 4
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2020-04-21
Re:Hacking a valid cert into the EAP controller software
2020-08-09 20:07:51
This worked for me!
Working at Stampede, trying to rid the world of poor captive portals https://stampede.ai
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
0
We appreciate your feedback. Feel free to let us know more. Log in to submit feedback.
#17
Options
- Copy Link
- Report Inappropriate Content
Thread Manage
Announcement Manage
Posts: 38
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2017-03-19
2017-03-20 19:04:10
Posts: 38
Helpful: 0
Solutions: 0
Stories: 0
Registered: 2017-03-19
Information
Helpful: 0
Views: 9905
Replies: 16
Voters 0
No one has voted for it yet.
Tags
Report Inappropriate Content
Transfer Module
New message