How do I use my own (self-signed) certificates with CDRouter's ACS?

CDRouter TR-069 has a default ACS certificate for TR-069/CWMP SSL connections. The default certificate has the common name CN=acs.cdroutertest.com and CDRouter will automatically provide a DNS entry for this name to match the configured ACS IP address. If you use our default certificate, you may also need to load a new root CA on your CPE device. Please see the following note on loading a root CA on your CPE.

If you are using your own certificates, you must create a server certificate in PEM format that includes both the public certificate and a non-encrypted private key. NOTE: You can not use encrypted private keys in your certificate file since CDRouter will not decode them.

If your private key is encrypted using a passphrase, it will look something like:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,*************

**********************************************************
**********************************************************
**********************************************************
-----END RSA PRIVATE KEY-----

You can decrypt the private key using the following openssl command:

$ openssl rsa -in protect.key -out not-protected.key

OpenSSL will prompt you for the passphrase in order to decrypt the key. After decrypting your private key, it should look like:

-----BEGIN RSA PRIVATE KEY-----
**********************************************************
**********************************************************
**********************************************************
-----END RSA PRIVATE KEY-----

Your public certificate and private RSA key should be placed in the same *.pem file. You can then configure the ACS server to use this certificate using the testvar acsCertPath.

testvar acsCertPath /root/cdrouter/myserver.pem

You will also need to create a DNS host entry for the common name (CN) in the certificate and use this domain as your ACS URL. The common name can be determined by viewing the contents of the certificate, as described in this Knowledge Base article: How do I display the contents of a SSL certificate?. The DNS host entry for the common name should match the IP address of the ACS.

testvar dnsHostname1 myserver.foo.com
testvar dnsIp1       6.0.0.1
testvar acsIp        6.0.0.1