Create and Apply SSL Certificate to DD-WRT Web Interface

Note: You may need to enable JFFS2 support under Administration > Management > JFFS2 Support to have a usable /jffs location

Prerequisites

Create Your SSL Certificate

  1. Launch XCA
  2. Open the PKI database if it is not already (File > Open DataBase), enter password
  3. Click on the Certificates tab, right click on your Intermediate CA certificate
  4. Select New
  5. On the Source tab, make sure Use this Certificate for signing is selected
  6. Verify your Intermediate CA certificate is selected from the drop down
  7. Click the Subject tab
  8. Complete the Distinguished Name section

    internalName: dd-wrt.i12bretro.local
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: dd-wrt.i12bretro.local

  9. Click the Generate a New Key button
  10. Enter a name and set the key size to at least 2048
  11. Click Create
  12. Click on the Extensions tab
  13. Select End Entity from the type list
  14. Click Edit next to Subject Alternative Name
  15. Add any DNS or IP addresses that the certificate will identify
  16. Update the validity dates to fit your needs
  17. Click the Key Usage tab
  18. Under Key Usage select Digital Signature, Key Encipherment
  19. Under Extended Key Usage select Web Server and Web Client Authentication
  20. Click the Netscape tab
  21. Select SSL Server
  22. Click OK to create the certificate

Exporting Required Files

  1. In XCA, click on the Certificates tab
  2. Right click the SSL certificate > Export > File
  3. Set the file name to cert.pem verify the export format is PEM (*.crt)
  4. Click OK
  5. Click the Private Keys tab
  6. Right click the private key generated for the SSL certificate > Export > File
  7. Set the file name to key.pem and verify the export format is PEM private (*.pem)
  8. Click OK

Applying SSL Certificates in DD-WRT

  1. Open a web browser and navigate to http://DDWRT_IP
  2. Authenticate with the DD-WRT login
  3. Click on the Services tab
  4. Locate the Secure Shell section
  5. Select the Enable radio option next to SSHd
  6. Click Apply Settings
  7. Click on the Administration tab
  8. Locate the JFFS2 Support heading
  9. Check the Enable button next to Internal Flash Storage
  10. Locate the Web Access heading
  11. Uncheck HTTP
  12. Check HTTPS
  13. Click Apply Settings
  14. Scroll down and click the Reboot Router
  15. Wait for DD-WRT to come back up
  16. Download PuTTY Download
  17. Connect to DD-WRT via PuTTY
  18. Execute the following commands to create the working directories
    cd /jffs
    mkdir etc
    mkdir startup
  19. Download the bash script to apply the SSL certificates Download
  20. Download WinSCP Download
  21. Extract WinSCP and run the executable
  22. Connect to the DD-WRT server via WinSCP
  23. Navigate to /jffs/etc
  24. Copy the created cert.pem and key.pem to /jffs/etc
  25. Navigate to /jffs/startup
  26. Copy the downloaded binds_on_mount.sh
  27. Back in PuTTY, execute the following commands
    cd /jffs/startup
    # make binds_on_mount.sh executable
    chmod +x binds_on_mount.sh
  28. Test binding the newly created certificates manually
    ./binds_on_mount.sh
    If any errors occur do not proceed to the next section until they are resolved
  29. Open a web browser and navigate to https://DDWRT_IP
  30. If the certificates were bound successfully the generated certificates should now be served by DD-WRT

Automatically Applying SSL Certificates on DD-WRT Startup

  1. Open a web browser and navigate to http://DDWRT_IP
  2. Authenticate with the DD-WRT login
  3. Click on the Administration tab
  4. Click on the Commands sub-navigation tab
  5. Paste the following into the Commands textarea

    cd /jffs/startup && ./binds_on_mount.sh > ./log

  6. Click the Save Startup button
  7. Click on the Management sub-navigation tab
  8. Scroll to the bottom and click the Reboot Router button
  9. Wait for the router to reboot
  10. Refresh the DD-WRT web interface and the created SSL certificates should be used

On one of my cheaper routers /jffs was read-only and had 0 bytes available. I followed the same steps as above but used a USB flash drive to store the files. I was able to replace /jffs with /tmp/mnt/USB to complete setting up SSL on the device. Leaving HTTP checked under Administration > Management > Web Access can provide a fallback until https is working reliably. If for some reason https stops working you can re-enable access via http by connecting to the router via SSH and running the following commands:
nvram set httpd_enable=1
nvram set http_enable=1

Special thanks to the DD-WRT forums and alexandrusavin on GitHub for inspiration on getting this working
https://gist.github.com/alexandrusavin/69b26846d6593d6f217219b5bd8882c4