Certificate Management and Usage

This document presents the WeOS certificate repository, its usage and how to manage it.

What is the Certificate Repository?

The WeOS certificate repository holds cryptographic certificates and keys used by WeOS services utilising asymmetric and symmetric cryptography. An example is the WeOS Web server, which by default uses a unique, self-signed certificate for its HTTPS service.

It is possible to import your own certificates and associated private keys to be used for Web/HTTPS or for OpenVPN tunnels. OpenVPN certificates and secret keys may also be generated by WeOS.

WeOS includes a set of default trusted CAs, used by certain WeOS client services such as DDNS, when contacting certificate based Internet services.

The unit’s default Web certificate

The default certificate is always present in WeOS, and when it is deleted, a new one will be generated implicitly at reboot.

example:/#> show cert full
TYPE     HASH     EXPIRES     NAME                 LABEL
Pub      52ff4f77 Jan 19 2038 zero-12-34-50.local  web-default
Key      N/A      N/A         web-default          web-default

It is possible import (see below) a custom Web server certificate to the repository, and configure the Web server to use that certificate.

Built-in trusted root CAs

Included in the WeOS image is a set of trusted root CAs, based on Mozilla’s list of trusted root CAs. This list of root CAs is provided for convenience, and is used by WeOS services using HTTPS to securely access Internet services. An example is the WeOS DDNS client, which utilises HTTPS to contact the DDNS provider.

The DDNS client trusts DDNS providers with a certificate issued by any of the built-in trusted root CAs by default. It is possible to configure the DDNS client to only trust certificates issued by CAs manually imported to the certificate repository.

The example below shows how to display the list of trusted CAs.

example:/#> show cert all
TYPE     HASH     EXPIRES     NAME
CA-auto  a94d09e5 Dec 31 2030 ACCVRAIZ1
CA-auto  cd8c0d63 Jan  1 2030 N/A
CA-auto  b81b93f0 Dec 20 2043 AC RAIZ FNMT-RCM SERVIDORES SEGUROS
CA-auto  b433981b Aug 30 2039 ANF Secure Server Root CA
CA-auto  930ac5d2 Sep 22 2030 Actalis Authentication Root CA
...

Certificates & keys management

Certificates and keys can be managed from both CLI and Web interfaces.

CLI Syntax:

[no][show] cert [all] [full] [generate [OPTS] | import [OPTS] URI

Manage certificates and keys.

no

Delete a complete certificate bundle by its label.

show

Dump certificate information: attributes & meta data. Options:

full - display full certificate’s LABEL
all - display all keys & certificates (including WeOS built-in)
HASH - display info about certificate with specified HASH
LABEL - display info about certificate with specified LABEL

generate

Generate certificates and OpenVPN secret keys (PSK). Signing, or self-signed CA not supported yet. Options:

ovpn - Generate OpenVPN secret key (PSK or TLS-AUTH).
label NAME - (Mandatory) Specify label name for the generated key.

import

Import PKCS12 certificate bundles, stand-alone PEM/DER or OpenVPN static key files. For PEM/DER, it is required to provide the type: private, public or CA. This to ensure the certificate is put to proper use.

Import format options:

pkcs - import PKCS12 bundle.
pem - import PEM certificate, CA certificate or private key. Additional PEM/DER options: ‘type public’ (import as certificate), ‘type ca’ (import as CA certificate), and ‘type private’ (import as private key).
der - import DER certificate, CA certificate or private key. Same options as for ‘pem’.
ovpn - import OpenVPN static key.

Other import options:

label NAME - (Optional) Specify label name for the imported certificate(s) and/or key.
password PASSWORD - Password for imported certificate/key (if encrypted).

Examples

Import a PKCS#12 or a PEM certificate:

example:/#> cert import pkcs password "secret string" ftp://1.2.3.4/bundle.p12
example:/#> cert import pem type public usb://remote.crt

Import an OpenVPN static key (PSK or TLS-AUTH):

example:/#> cert import ovpn ftp://1.2.3.4/ovpn.key

Generate an OpenVPN static key (PSK or TLS-AUTH):

example:/#> cert generate ovpn label NAME

Show all certificates or display a given label/hash:

example:/#> show cert
TYPE     HASH     EXPIRES     NAME
Pub      52ff4f77 Jan 19 2038 zero-12-34-50.local
Key      N/A      N/A         web-default

example:/#> show cert full
TYPE     HASH     EXPIRES     NAME                 LABEL
Pub      52ff4f77 Jan 19 2038 zero-12-34-50.local  web-default
Key      N/A      N/A         web-default          web-default

example:/#> show cert all
Press Ctrl-C or Q(uit) to quit viewer, Space for next page,  for next line.
TYPE     HASH     EXPIRES     NAME
CA-auto  a94d09e5 Dec 31 2030 ACCVRAIZ1
CA-auto  cd8c0d63 Jan  1 2030 N/A
CA-auto  930ac5d2 Sep 22 2030 Actalis Authentication Root CA
CA-auto  157753a5 May 30 2020 AddTrust External CA Root
CA-auto  2b349938 Dec 31 2030 AffirmTrust Commercial
CA-auto  93bc0acc Dec 31 2030 AffirmTrust Networking
CA-auto  b727005e Dec 31 2040 AffirmTrust Premium
CA-auto  9c8dfbd4 Dec 31 2040 AffirmTrust Premium ECC
CA-auto  ce5e74ef Jan 17 2038 Amazon Root CA 1
CA-auto  6d41d539 May 26 2040 Amazon Root CA 2
CA-auto  8cb5ee0f May 26 2040 Amazon Root CA 3
CA-auto  de6d66f3 May 26 2040 Amazon Root CA 4
CA-auto  e36a6752 Dec 31 2030 Atos TrustedRoot 2011
CA-auto  3bde41ac Dec 31 2030 Autoridad de Certificacion Firmapr~l CIF A62634068
CA-auto  653b494a May 12 2025 Baltimore CyberTrust Root
CA-auto  54657681 Oct 26 2040 Buypass Class 2 Root CA
CA-auto  e8de2f56 Oct 26 2040 Buypass Class 3 Root CA
CA-auto  2ae6433e Jul 19 2042 CA Disig Root R2
CA-auto  0b1b94ef Dec 31 2029 CFCA EV ROOT
CA-auto  40547a79 Dec 31 2029 COMODO Certification Authority
CA-auto  eed8c118 Jan 18 2038 COMODO ECC Certification Authority
CA-auto  d6325660 Jan 18 2038 COMODO RSA Certification Authority
--More-- (17% of 10619 bytes)

Remove certificate by label/hash

example:/#> no cert

Use force parameter to avoid questions:

example:/#> no cert force