How to Install an SSL Certificate for router huawei __Please Help

Hello ;

How to Install an SSL Certificate for router huawei ?

How to enable ssl certificate authentication or how to configure an ssl certificate to secure an HTTPS connection on my router by using Let’s Encrypt || What is the solution ?

Can I get a free certificate from Let’s Encrypt or purchase a certificate for my router?

==> Objective of securing connection :
Protect the router from the process of penetration of the so-called [ Man-in-the-middle attack ] .

==> This is the router information for setting up an SSL certificate ( Huawei EchoLife HG8245Q ) , With attached pictures of the router : -

Enable Certificate Authentication ssl and Set Private Key Password
Private Key Password:
Confirm Password:
Import Certificate
Certificate:

ignore acs management menu(it’s not you want) and upload certificate and key by the menu below it on https.

good dear !
But explain to me how https works on the router, I do not know how to do it

==> See my question on the Huawei Forum, I did not find an answer !
https://forum.huawei.com/enterprise/en/How-to-enable-or-how-to-configure-an-SSL-certificate-to-secure-an-HTTPS-connection-on-the-router-by-using-Let-s-Encrypt-Huawei/thread/546383-911

from right picture, use import certificate menu, and import key under it (scroll down)
then to get certificate itself… LE won’t sign ip address or fake domain names, so you may need to use self signed one and ignore certificate error.

So @JohnMartin, do you have your own domain name? Every Let’s Encrypt certificate refers to a domain name and you have to own it or have a domain or subdomain pointed at your device in order to get a certificate from Let’s Encrypt.

No ; I do not have a domain name
I do not have a server , my device is a home Modem ( Huawei EchoLife HG8245Q ) , and I’m trying to install an SSL certificate to secure the connection , but I do not know the way

As you see in the pictures :
From the System Tools menu, you need to set the certificate on a setting ( TR-069 ) and ( Modify Login Passowrd = Enable Certificate Authentication ssl and Set Private Key Password )

See example of a Synology router and how to install the SSL certificate :
[ Configure HTTPS on Your NAS Using Let’s Encrypt | Synology ]

Let’s Encrypt certificates can’t be helpful to you if you don’t have a domain name that you can use. They prove that you control a particular domain name, but if there is no such domain name, there’s nothing for the certificate to attest to.

In the Synology case, most of these users are either registering their own personal domains or using the synology.me domain which the manufacturer registered. It gives out free subdomains under synology.me to people who’ve purchased a Synology NAS, and Let’s Encrypt can issue certificates for those subdomains.

If you don’t have a similar option for your router, the best option would probably be the one mentioned by @orangepizza: you can create a self-signed certificate (not from a public certificate authority), then install it on your router, and then confirm in your browser that you want to trust that particular certificate.

1 Like

I already have free subdomains for ( synology.me ) ==> Can I install it on a Huawei modem ?

Creating a self-signed certificate failed me unfortunately !

Explanation from this site has been applied :

In principle yes, if your synology.me subdomain is pointing at the same public IP address as your Huawei router (for example, using port forwarding to forward some ports to one device and some ports to another), you could obtain certificates that you use on both devices. This might be a little bit complicated to do in practice, because I’m not sure that the Synology software supports an easy way to export the certificates that it obtains (along with their private keys) for use on another device.

If you want to use the same exact certificates on both devices, maybe you should consult the Synology documentation or Synology forum to investigate exporting the certificate and key. (There is no reason that the same certificate and key can’t be used at the same time on multiple devices, as long as all of the devices are actually accessible using the same domain name.)

If you want to externally generate a certificate, you could consider using something like https://zerossl.com/ and completing the validation steps manually on the Synology device, then importing the resulting certificate into your Huawei device. This is probably a lot of effort, especially because the process will need to be repeated at least every 90 days, and probably can’t easily be automated!

I tried today to apply the method to my domain synology.me ==> The result failed the process !

I tried to apply a self-signed certificate setup and upload it on the router ==> The result failed the process !

I do not know the solution now for Huawei router problems , nor does our service provider allow it to be changed.

☞ The steps in this article have been applied to set up a self-signed certificate :

☞ The biggest problem with the router is : ACS Parameter Settings , I do not know what this setting is , and what to write instead ; when you delete the information from it and replace it with another it returns automatically !

SSL_Modem%20Huawei

It would be really helpful to know more specifically what you did and what kind of error you encountered. I’m sure there was a more specific problem or error that resulted.

ACS Parameter Settings:it’s for ISPs to management costumer’s device remotely . unload a public cert from it and leave it empty. setting for cert to be used for web menu is under “modify login password”

The problem is :
Orders sent between the device (CPE) and auto configuration server (ACS) are transported over HTTP

The problem 2 that the certificate is for a router and not a certificate for a domain, so I do not know a solution to the problem
logo5xx

there are two certificate upload menu, one for ACS and the other for https. (under router password change menu.)

if you actually want certificate for CPE-ACS
1 is becuse your acs endpoint url starts with http, not https.
2. is a client certificate that ACS trusts, and I think ACS would pinned an internal CA if it uses that, and Your router certficite need to be signed from that CA so LE certificate won’t help you here.

The domain name needs to point at the IP address that you use to access the router’s interface, and you then need to use this domain name when accessing your router via the browser (or, other software that accesses it needs to use this domain name).

Dear Engineer. schoen

☞ I need a guide to explain the method, I have applied the steps to set up a self-signed certificate from this article


:writing_hand: This is the self-signed certificate file data ; is it correct ? Is there a process that has not been implemented ?
Country Name (2 letter code) [AU]:SA
State or Province Name (full name) [Some-State]:Jeddah
Locality Name (eg, city) :Jeddah
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Etihad Etisalat (Mobily)
Organizational Unit Name (eg, section) :IT
Common Name (e.g. server FQDN or YOUR name) :192.168.100.1
Email Address :

:arrow_right: My browser is a Firefox version 68

What happened after you created this certificate?

❶ After creating the self-signed certificate on the Apple Mac system, a certificate authentication process was performed

❷ The certificate was loaded on the router , and the operation appeared successful ✓

❸ The router was restarted and nothing changed !

❹ A self-signed certificate has been set up on Linux Debian and Apple Mac

❺ A self-signed certificate setup has been tried on Firefox and Safari

Hi @JohnMartin

what says https://192.168.100 ?