Graphic Motion Video Art, Website, IT Network, Culture

Loading...
Redirect HTTPS Hotspot Login Page Mikrotik Self-Signed Certificate
In order to provide the best service for your client, and for those of you who just start a new business or just want to share the internet connection using mikrotik hotspot servers, you need to know the aspects of the accessing https hotspot login page. Before we go further to create the web login template/interface to the hotspot login, I think it is require to improve the understanding of the access https hotspot login page, so that can be resolve the problems that may be found in the future, this is the one of the important things that we must know in building hotspot server systems.


HTTPS is a secure HTTP connection that using SSL (Secure Socket Layer) protocol to encrypt transmissions to provide protection from eavesdroppers attacks that use port 443. In other word, HTTPS is using for the secure connection over the clients that will increase the confidence of the client to use the website page connection. Using HTTPS connections associated with SSL Certificates that contains the data files of the organization's.

To use HTTPS connections that allow the clients access Hotspot login page, we need to install SSL certificate that will initiate secure sessions to the browsers. Keep in mind Hotspot login page will act as the web server to our hotspot client that the files is located in the router. Actually when the clients want to access the login page the internet connection is already up to the clients but to use the internet they have to login through the hotspot server rules.  So the clients request to use firewall rules into hotspot login page using the account member.


Look at the picture above! This is the previous configuration of the hotspot server profile that only use HTTP CHAP. This is the standard method access the hotspot login page, HTTP CHAP is unencrypted connection for the security consideration it is not recommended, so that the client can access the login page Using HTTP Connection.
The client will be redirecting to the login page when typing such agratitudesign.blogspot.com, wiswaweb.com that only use HTTP connection, and google.com, youtube.com that uses both connection, HTTP and HTTPS.

But when the client using such a facebook.com, github.com, this is very strict just only use HTTPS connections as their trusted identity. or inadvertently entered through the complete url like this https://www.youtube.com/. Our clients will not redirecting to the login page.

What do you think if the clients meet like this, oh error, trouble, bad service. Actually the internet connection is already but where is the login page? they should use the HTTP connection to login or just typing such 192.168.1.1/login or hotspot dns name such hotspot.wiswaweb.com. But not any advice, the something like a boom and they have stuck and this is likely not a good service for them.

As I said before, to use redirect HTTPS hotspot login page connections, we must use SSL Certificate. For widespread use for the professional website server, the SSL certificates should be excluded from the authorities, actually we must pay for this to be signed by trusted authority. When we have decided to buy SSL certificate make sure you must have domain name to be certified. Or when you have public IP you can create a free domain for the hotspot login page.

Ok no matter whether buy or get for free of the SSL certificate, I will show Self-Signed Certificate to prove how the process redirect https login page works using openSSL. You can download openssl-0.9.8k_WIN32 and openssl-0.9.8k_WIN64 depending on your system. Extract the zip file, and just put the folder/directory OpenSSL on the desktop and rename the folder as “openssl”. On the folder openssl, go to bin folder and click on openssl.exe to run openssl command prompt.

1. Creating self –signed our own CA (Certificate Authority)

First we generate the RSA Private Key in order Create CA (Certificate Authority). Certificate is containing our identity and organization details. For more faster just paste it on openssl command prompt one by one (look at the number of this command lines!).
genrsa -des3 -out ca.key 4096
req -config C:\Users\agus\Desktop\openssl\openssl.cnf -new -x509 -days 3650 -key ca.key -out ca.crt

The final goal in this step is creating “ca.key and ca.crt”. “C:\Users\agus\Desktop\openssl\openssl.cnf” is the path where the openssl.cnf  file is located. “Common Name : hotspot.wiswaweb.com” is a dns name of the hotspot server profile that used.

2. Creating self-signed hotspot server certificate

We generate the RSA Private Key, Certificate Signing Request (CSR) and finally self-signed hotspot server certificate itself.
genrsa -des3 -out server.key 4096
req -config C:\Users\agus\Desktop\openssl\openssl.cnf -new -key server.key -out server.csr
x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

After this we can close openSSL command prompt, and now we have three hotspot server certificate files, that is server.key, server.csr, and server.crt.

3. Upload  and Import the self-signed certifate hotspot server files

Copy that tree server files and place into 1 folder, just named as key. Now we are going to upload the three files in folder key, we can also use winSCP, fireFTP, etc,  to make easier to upload and put the certificate files against another files on the router.


After upload the files we are going to import them to the router as the self-signed sertificate on the router system. Using winbox click System>Certificates. On the tab certificates, press import and and we look for the files that have been uploaded, as shown like the right picture above.  First we have to import server.crt, then server.key. In this case we just require server certificate the file that has extension .crt and the key files. We can see the information identity details of the self-signed certificate.

4. Change the configuration of the hotspot server mikrotik

After import the certificate, now we have certificate on the router system with the name cert_1. Go to the hotspot server profiles and activate HTTPS option Login by and use SSL certificate cert_1.  Don’t to activate SSL service port on the IP Service List that now using cert_1 certificate. Look at the pictures below!


Now we can see how the Self-Signed Certificate redirect https login page works on the hotspot clients. When I use 2 options login by “HTTP and HTTPS” with SSL Certificate “cert_1
The clients type : google.com, youtube.com, bloger.com, all the kind web server that use 2 type connections (HTTPS and HTTP) or the web server that just only have HTTP access, such wiswaweb.com. It’s no problem, the client could be redirected to login page https://hotspot.wiswaweb.com/login?...

The clients using the complete url : https://www.google.com/,  https:// youtube.com /,  https:// bloger.com. that means the clients use https access for the kind web server. In this case the clients will meet the security warning with add exception choice,  before could be redirected to login page https://hotspot.wiswaweb.com/login?...
The clients type : facebook.com, github.com and other web server that very strict just only use HTTPS connections. In this case the clients will meet the security warning with the notification only valid for  https://hotspot.wiswaweb.com/login?... 

But the security warning will be different on another browser, in this case I have use Mozilla Firefox. Self-signed certificate is the internal application that just signed by me or yourself, this is for our local system, but when using the internet connection, it won't recognize as trusted unless you buy the external certificate authority to remove the security warning.  But at least self-signed certificate as the prove how the process redirecting HTTPS works,  and the clients got the security warning that can add the exception and notification to access the hotspot login page.

Somebody said that this security warning can be resolve using the squid proxy on the internal network, but I still can not prove it. So the best choice to remove the security warning is the external certificate authority for your hotspot login page. Using a certificate free version still can not recognize your hotspot login page as trusted.

If you still consider that it is important and you have decided to buy an external certificate authority, you will get the certificate file and the key, and just need to  import the files as I show above on your router. But you must prepare your domain name. This is the best way for those of you who already have the website domain, and the hotspot login page is using a sub domain, such a hotspot.wiswaweb.com. There are much websites that provide SSL certificate authority services like startssl.com.

So that's all I can inform you about redirecting HTTPS hotspot login page, have a try and good luck!

Share This Article :
Related Articles

28 comments :

  1. Your post is really collection of such useful information and I personally would like to appreciate the efforts. Once again thanks for your post. I was looking for ssl certificates information your post gave me well guide.

    ReplyDelete
  2. You have done a great job. I will definitely dig it and personally recommend to my friends. I am confident they will be benefited from this site cardboard boxes

    ReplyDelete
  3. Hi,
    regarding this statement:
    -------
    ...but when using the internet connection, it won't recognize as trusted unless you buy the external certificate authority to remove the security warning. But at least self-signed certificate as the prove how the process redirecting HTTPS works, and the clients got the security warning that can add the exception and notification to access the hotspot login page.
    ----------------

    This is not true really. Certificate for your hotspot won't help you much, because it will be valid only for your hotspot's hostname, not for whatever external site user's browser thinks is connecting to.
    The "facebook screenshot" shows that you are trying to open https://facebook.com and you get a message that the site that IS opening (your hotspot) has a certificate that is valid ONLY for the hotspot - it excpected the Facebook certificate. This means there is no way to get past this... at least not yet.
    Further reading - HSTS explained (the reason for these things happening):
    https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
    http://forum.mikrotik.com/viewtopic.php?f=1&p=493783

    ReplyDelete
  4. What about:
    Deprecation of Internal Server Names and Reserved IP Addresses

    see: https://cabforum.org/wp-content/uploads/Guidance-Deprecated-Internal-Names.pdf

    I'm presuming the client will be blocked, ie no way to negate the warning as of next year?

    Even with a self-signed CA the common name, be it a private IP or DNS needs to be validated?

    and as hotspots are public the client does not hold the self signed CA as a trusted body which is what CAB suggest as a work around?

    ReplyDelete
  5. Hello! Your site is awesome! keep it on. thanks for sharing this information. California individual asset search

    ReplyDelete
  6. You’ve written nice post, I am gonna bookmark this page, thanks for info. I actually appreciate your own position and I will be sure to come back here.
    Signature:
    i like play games happy wheels online and play happy wheels 2 games and agario , fireboy watergirl , agar io

    ReplyDelete
  7. Hi, This one thing what has been searching for quite a while. postings.com

    ReplyDelete
  8. Dear admin,
    How can I buy external certificate? My website domain was hosting in Godaddy. So do I need to buy in godaddy?

    ReplyDelete
  9. It's true Bluehost is the industry leading hosting provide and they are best For wordpress Hosting, I written an Bluehost wordpress Hosting review and The about Bluehost Discount coupon code.
    Bluehost Discount

    ReplyDelete
  10. Which type of SSL should I buy for browsers trusted. I have one domain. Please advise me.

    ReplyDelete
  11. Today I want to introduce you to some games for entertainment after hours of work stress, relax and give me feedback about it
    baixar musicas l snapchat l run 2 l geometry dash 2.0

    ReplyDelete
  12. I want to setup https (trusted ssl) login in my hotspot. I already bought the ssl certificate. Anyone can help me?

    ReplyDelete
  13. This comment has been removed by the author.

    ReplyDelete
  14. Betting on Casino Advantages
    Sbobet Online gambling is the most popular way to win money online games to win new customers who are excited to play online gambling. The online games of our website are always fun to play and win online games are not boring. A new online betting site where you will be able to conveniently place your bets on the online casino games that meet every client's needs. Whether it is a game online, we are ready to serve you. Because of our website, there are many games to choose from. New Online Betting Line Betting Without Wager We also provide the services of experienced staffs who are always available to play online games at reasonable prices and can meet the needs of all users. And do not miss the new games that you enjoyed before. With the promotion of all online gambling games that make it worth playing. Use the online slot machine game where you will be able to get more enjoyment every time you click here. คาสิโน

    ReplyDelete
  15. Thank you for this technique. Sometimes web page is under development and user needs to re direction. custom boxes and packaging

    ReplyDelete
  16. Love all of the tips and the shower is adorable! You have so many details and everything came together so cute. Thanks a lot for this article, I very interested with this published. Your post is incredibly fantastic with a lot of interesting information and impressive posting style. i have also an websites related to boxes where provide services related to boxes. we are custom box manufacturers i have lots of question in my mind regarding gift packing design after reading this post lot’s of question clear on my mind.

    ReplyDelete
  17. the particular boot worked well regarding endeavours quick baseball shoes or boots and also extended, quickly and also gradual remarkable gents shoes or boots https://www.bolksports.com/palladium-c-375.html adaptability to get a average stableness instructor. Missoni merely teamed upwards together with Adidas to get a limited-edition distinct UltraBoosts that might be long gone sports activity shoes or boots one Palladium boots online shop which just Yahoo contract inside German. Most commonly known for the radiant knitwear and also progressive shoes or boots on the market color strategies, the particular fashio.

    ReplyDelete
  18. procedere. Ciò ti offre molto più spazio per sgombrare il vano piedi insieme a una partita molto più comoda. Waveknit potrebbe migrare per aumentare il numero di calzature all'interno della selezione; Scarpe Nike Zoom Fly 3 Rise vendita sono le calzature da uomo in questo momento la funzione importante di Waveknit C1 e Influx Skies Waveknit 3, per esempio.

    ReplyDelete
  19. Hi this is SaiVijay, I'am from Chennai. I'am a technical writer for a digital marketing company in Chennai for more than five years. And its my own passion to choose this field. I have to write a creative articles, novels, documents. My hobbies are drawing, playing foot ball and playing cricket also. My most favorite one is "Be Tvastra" which one is the most memorable one in my works. I have suggest you to read the articles.
    Digital Marketing Company in Chennai
    Digital Marketing Agency in Chennai
    SEO services in Chennai
    SEO company in Chennai
    Web Design Company in Chennai
    Web Development Company in Chennai
    top 10 digital marketing companies in chennai
    digital marketing companies in chennai
    best digital marketing agency in chennai
    digital marketing companies in anna nagar
    seo services company in chennai
    Best SEO Companies In Chennai
    cheap seo in chennai

    ReplyDelete
  20. If we’re buying a modern BMW, we’re buying the M2 Comp and never looking back.

    We've been waiting a good little while to get our hands on the 2020 BMW M2 Competition for a proper Pro Racer's Take track test, which might sound a little strange. BMW's little coupe has spent plenty of time the hands of Automobile staffers and testers, including the recent test drive report linked above. We also awarded it a 2019 Automobile All-Stars trophy as one of the year's best cars. So, you might wonder, what's the big deal?

    For starters, we always want to see what our in-house professional driver Andy Pilgrim can do with any car we test on the fast, daunting NCM Motorsports Park Road Course in Bowling Green, Kentucky. Ultimately, it provides a no-speeds-barred look at what something like the 2020 BMW M2 Competition can do when tested to its absolute limits. On top of that, we've previously enjoyed the M2 Competition so much, we don't believe you can ever get enough exposure to the overall goodness a car like this provides, both to actual owners and to enthusiasts who admire it from afar.

    There's plenty to admire about the 2020 BMW M2 Competition. Some of our previous analyses of the car include glowing statements like:

    "A return to form for the M Division."

    "Immensely satisfying to drive, even back to back against supercars."

    "The BMW that best captures the spirit of the 2002 era more than anything in the marque's stable."

    "Lively rear end, with connected steering that allows consistent corner-entry rotation, apex scraping, and really quick exit speeds. Big smiles, top fun!"

    A lot of the enjoyment derived from driving the 2020 BMW M2 Competition arrives courtesy of its 405-horsepower, 406-lb-ft turbocharged I-6 engine, but there are plenty of other hardware upgrades compared to the standard M2 it has replaced in BMW's M-car lineup. Along with the engine, they include larger air intakes, bigger brakes, different spring and damper rates, and more chassis reinforcements, resulting in an incredibly focused modern driver's car.

    Oh, and if you enjoy a bit of drifting "here and there," this test of the 2020 BMW M2 Competition has you covered on that front, too. So hit the Play button now to see the M2 Competition running in all of its fiery glory, and then check our overall Pro Racer's Take leaderboard to see how it stacks up to some of the actual competition we've also put to the test previously. ดูบอลสด



    Contact us by Line ID: @ufa98v2

    ReplyDelete
  21. This makes me quite well understanding of Https redirects & will definitely apply in my domain
    Buy Essays from Essaywritingservices.ca

    ReplyDelete
  22. Hey, I am sophia william provide homework help at The Student Helpline. I read your blog and find it interesting and very informative. Keep sharing posts like this. I also write blogs you can read and it will definitely be helpful for you.
    Blog: Professionalism In Nursing

    ReplyDelete
  23. The Best Web Developers Agency is a team of experienced web developers that specialize in creating and optimizing websites for clients. Their work is always professional and of the highest quality. They are experienced in all the latest technologies, from WordPress and Drupal to HTML and JavaScript. They provide custom solutions for clients, whether it's a simple website or a complex e-commerce site. They have the experience and knowledge to create websites that are attractive, user-friendly, and secure. With the Best Web Developers Agency, you can be sure that you are getting the best web development services available.

    ReplyDelete
  24. This makes me quite well understanding of Https redirects & will definitely apply in my domain essay writing services in uae.

    ReplyDelete

Back to Top