Hey chaps,

I'm trying to setup a trusted SSL certificate on my 2860N to pass PCI DSS compliance. I purchased a RapidSSL certificate and followed the steps in this guide: https://www.draytek.co.uk/support/guides/kb-local-certificate-management

The certificate is now correctly installed on the DrayTek with status OK. The trusted domain is added to Management > Domain Name allowed and the correct certificate is selected in SSL VPN > General Setup.

However when I connect to the router I am still getting "Your connection is not private" errors and browser is stating that I'm using a self-signed certificate - which i no longer am.

So either I'm missing a function I should be enabling? (I am running the latest firmware 3.8.9.3) or else it's because the RAPIDSSL Intermediate Certificate also needs to be installed (they state that both have to be used to avoid issues). So i tried to be creative and added the certificate and the intermediate certificate X.509 code to the .pem and tried to import it. But I got a format error from the DrayTek.

Any help most appreciated as my bank is now charging me for not being compliant..

Many thanks...

It seems like you've set up the certificate correctly - do check that the certificate provided is the one you had signed and not the router's self signed.
The current implementation of chain certificate has some specific requirements:

• For a certificate with chain to work, your certificate authority needs to be able to provide the private key and your certificate as separate files


• If the certificate authority only allows CSR or pkcs12, then certificate signing must currently be performed on another PC / device that can export the private key


• A certificate with chain file is made by copying the contents of the chain cert in notepad and pasted into the end of the signed certificate, or your certificate authority will provide a file that combines the two


• Import the cert+chain as the certificate and the private key (3rd method in the import cert section)


• PKCS12 and CSR methods currently don't support certificate with chain

Hey buddy,

Thanks v much for the reply.

For a certificate with chain to work, your certificate authority needs to be able to provide the private key and your certificate as separate files

From what I can see my certificate provider only gives me access to CSR and p7b files. They don't give me an option to download private key files.

If the certificate authority only allows CSR or pkcs12, then certificate signing must currently be performed on another PC / device that can export the private key

That makes sense - but I'm struggling with this step. OpenSSL and other tools seem to allow me to export what I need - but they need the private key to create the pkcs12 - and I'm assuming the private key is created and stored on the DrayTek during the CSR generation stage? I also see that IIS/Firefox will allow me to import then export a pckcs12 but it fails on import "Can't be installed because you do not own the corresponding private key"

So i'm really stuck now.. Forgive my ignorance but do I need to generate the CSR on another device which allows me to save the private key, then get the certificate with this CSR and then import into the 2860 the cer/private key or pkcs12 file?

thanks again for your help....

Hi again,

With your guidance and more reading its now clear that I need to generate the CSR / Private key on another device and then merge and import it back into the 2860.

So, using OpenSSL I created the CSR and a private key file - the CA authority then signed it and I received the following files: Server Certificate, Intermediate Certificate and Root Certificate.

Using Open SSL I merged those 3 files with the private key into a PKCS12 file - imported it and "Upload Fail ... The imported file format is wrong or password is wrong." (password is 100% correct).

So I then manually merged the 3 files certificate text into one .cer file and imported this along with the private key file and it accepts it and the certificate status is OK. However security alert is still coming up when browsing to the domain / router - displaying self signed certificate - and when i check the certificate text in the router using View it only shows the code from the Server Certificate and not the other 2.

Stuck again!!!

EDIT: Resolved.

Finally got it working by manually merging certificates and uploading with private key.

Flushed DNS and it's working..

Thanks for your help!!