SSL Certificates on Private Networks with the EdgeRouter

These days it seems like every device on my home network has its own web server. Some of the devices have SSL enabled on them and force you to use them (http requests are redirected to https); this isn’t bad, but since the sites are accessed with an IP address or a local name (using Bonjour), browsers always give a warning about a domain name mismatch. For those that don’t know, when you connect to a secure site, the browser checks the domain name you entered with that of the certificate; if they don’t match, it could indicate that someone is trying to spoof the site. You can either ignore the warning or you can choose the option to always trust the certificate. The latter method is what I usually do, but it just doesn’t feel right and there could be security issues with this method.

Since I purchased a wildcard SSL certificate for my domain, I thought there must be a way to use it and not get browser warnings or have to accept the certificate. While browsing the forums for my EdgeRouter Lite, I stumbled upon a command that lets me basically override DNS entries. I could have setup DNS entries such as mydevice-internal.gruby.com and setup a private IP address (10.0.1.200) on my DNS provider, it isn’t a good idea to pollute DNS with private addresses and I’m not even sure my provider’s system would have allowed it.

The forums indicated I could do the following:

    configure
    set system static-host-mapping host-name mydevice-internal.gruby.com inet 10.0.1.200
    commit
    save

This simple command tells the EdgeRouter Lite’s caching DNS server to return this entry prior to using real DNS servers. I setup the SSL certificate on a few of my internal boxes, used that command and now I use https://mydevice-internal.gruby.com to securely access the devices and no longer get browser warnings.

The EdgeRouter Lite has so many options that I’m just starting to scratch the surface on them and how I can use them!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.