NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

ceebee6cc's avatar
Jul 08, 2026

Accessing orbilogin.local shows an error "certificate is using a broken key size" in Safari MacOS

The attached screen shot shows the error when trying to access the admin interface at orbilogin.local on my network using Safari in MacOS Sequoia.

 

It seems to be related to another Netgear domain:

 

routerlogin.net

Issued by: routerlogin.net

Expires: Sunday, 8 October 2124 at 08:55:21 British

Summer Time

@ "routerlogin.net" certificate is using a broken key size

 

Apart from setting to "Always Trust" which I'm loath to do, is there a workaround for this certificate issue? Neither the Netgear forums nor a Google search give anything particularly relevant. 

 

TIA

 

Chris

12 Replies

  • StephenB's avatar
    StephenB
    Guru - Experienced User
    ceebee6cc wrote:

    is there a workaround for this certificate issue?

    Try logging in as using Orbi's IP address instead of the URL.  (easiest to use the ipv4 address).

     

    FWIW, I am not seeing this issue with Chrome on a Windows PC.  

  • Thanks for replying. You should see Chrome complain if you try either of these links

     

    https://<your IPv4 address>

     

    or

     

    https://orbilogin.local

     

    It will of course not show a certificate error if you simply use http:// rather than https:// but I'd prefer to find out what the Netgear certificate is so badly broken.

     

    (I can't use IPv6 either as it's also broken in the current firmware release)

     

     

     

    • StephenB's avatar
      StephenB
      Guru - Experienced User
      ceebee6cc wrote:

      Thanks for replying. You should see Chrome complain if you try either of these links


      https://<your IPv4 address>

      or

      https://orbilogin.local

       

      Both connect for me with no problems.  I tried Chrome, Edge and Firefox (being careful to use https).

       

      Of course I do need to click through the certificate warning - that is expected with a self-signed cert.  But no errors related to the key size.

       

      Note I am using a Windows PC.

       

      FWIW, routerlogin.net's certificate looks fine to me.

      • signature algorithm of SHA-256 with RSA Encryption
      • RSA key length is 2048 bits
      • fingerprints are SHA-256

      These meet current security standards, and shouldn't create any issues with Safari or other modern browsers.

       

      The 10 year validity period ( 21 Jan 2026 - 19 Jan 2036) might be the problem.  Apple says they want 825 days or less.  But this has been out there for some time, and I would have expected to see more complaints if this happened with every safari user.

       

      ceebee6cc wrote:

      Issued by: routerlogin.net

      Expires: Sunday, 8 October 2124 at 08:55:21 British

      Summer Time

       

      I am seeing a different expiration date, so I am thinking that somehow you might not be getting the correct cert.

       

       

      Have you tried

      1. clearing the Safari Cache and data?
      2. disabling any VPN that is enabled
      3. turning off iCloud Private Relay (if you use it)

       

       

      donawalt​ ​:  Are you seeing this issue with Safari (using https://) 

       

      • ceebee6cc's avatar
        ceebee6cc
        Tutor

        Thanks for checking. It’s not going to cause me sleepless nights, so I’ll leave it as just “one of those things”. It doesn’t impact the actual security of the connection internally but appreciate you checking. 

  • donawalt's avatar
    donawalt
    Hero - Experienced User

    I think there may actually be two different issues here.

     

    First, orbilogin.local doesn’t appear to be a generally supported access method on current Orbi models. I tested it on an Orbi 970 from both macOS and Windows, and it doesn’t resolve at all (ping orbilogin.local fails, and Bonjour/mDNS doesn’t advertise that name). However, orbilogin.com, routerlogin.net, and the router’s LAN IP all work normally. So you could use https://192.168.1.1, https://orbilogin.net, or https://orbilogin.com to access the router, albeit going through the certificate warning first.

     

    Interestingly, Netgear’s documentation almost always references orbilogin.com and routerlogin.net. I searched netgear.com via Google, the only Netgear.com reference I could find on the whole site that mentions orbilogin.local is for the Orbi 770 series, not the 870 or any other router. That makes me wonder whether .local is only implemented on the 770 - or that even that reference could be an error. Since ceebee6cc​ has an 870 system, and mine is a 970, I really don't think orbilogin.local is supported at all in those routers' firmware.

     

    The certificate warning is probably a separate issue. As others have implied, current versions of Safari are much stricter about older self-signed certificates than they used to be. I also receive a certificate warning when accessing my Orbi over HTTPS by IP, orbilogin.net or by orbilogin.com, but after accepting the warning the admin page loads normally.

     

    Does https://orbilogin.com, https://routerlogin.net, or https://192.168.1.1 work for you? If they do, I’d be inclined to ignore orbilogin.local unless Netgear specifically says the 870 should support it. I don't think it does.

    • FURRYe38's avatar
      FURRYe38
      Guru - Experienced User

      routerlogin.net is mostly supported on Nighthawk router systems. Orbi uses orbilogin.com or router IPv4  IP address. Which I mostly use is the IP address on my 870 series all the time. 

      Ya, you'll get cert warnings on most newer browsers. One you accept the warning, you won't see it. Been like this for years. Browser security tag back and forth. 

      https://kb.netgear.com/000061003/I-get-a-security-warning-in-my-browser-when-I-try-to-log-in-to-my-NETGEAR-or-Orbi-router-what-do-I-do

       

    • StephenB's avatar
      StephenB
      Guru - Experienced User
      donawalt wrote:

      First, orbilogin.local doesn’t appear to be a generally supported access method on current Orbi models. I tested it on an Orbi 970 from both macOS and Windows, and it doesn’t resolve at all (ping orbilogin.local fails, and Bonjour/mDNS doesn’t advertise that name).

      As I said in my earlier post, I was able to connect using orbilogin.local to my own Orbi 870.

       

       

      Ping resolves it to a link-local ipv6 address

      Pinging orbilogin.local [fe80::5607:7dff:fe20:2aed%17] with 32 bytes of data:
      Reply from fe80::5607:7dff:fe20:2aed%17: time=4ms
      Reply from fe80::5607:7dff:fe20:2aed%17: time=1ms
      Reply from fe80::5607:7dff:fe20:2aed%17: time=2ms
      Reply from fe80::5607:7dff:fe20:2aed%17: time=2ms
      

       

       

      Powershell also shows the ipv4 address of my router

       Resolve-DNSName -Name orbilogin.local
      
      Name                                           Type   TTL   Section    IPAddress
      ----                                           ----   ---   -------    ---------
      orbilogin.local                                AAAA   4500  Answer     fe80::5607:7dff:fe20:2aed
      orbilogin.local                                A      4500  Answer     10.0.0.1
      orbilogin.local                                AAAA   4500  Answer     fe80::5607:7dff:fe20:2aed
      orbilogin.local                                A      4500  Answer     10.0.0.1

       

      mDNS is not advertising the name - at least neither of the mDNS viewers I tried found it.  (One running on a windows PC, the other running on my iPhone).  So this has to be coming from the Orbi's DNS resolver (the PC resolver is set to 10.0.0.1 by DHCP).

       

      Oddly, when I look at the certificate for https://10.0.0.1, , the common name of the self-signed cert is routerlogin.net (which is also what ceebee6cc​ is also seeing).

       

      FWIW, both ipv6 and UPnP are disabled in the router.

  • I did not realize that orbilogin.local is one of the URL's that Orbi routers intercept and provide their own IP address for (rather than perform DNS lookup.)

  • donawalt's avatar
    donawalt
    Hero - Experienced User

    Since it’s not mentioned anywhere on the NETGEAR website other than one obscure place, I have to believe this is just an artifact from the past that may or may not work based on the network and configuration. Since they’re at least three other HTTPS alternatives that are documented and that can be used with HTTPS, why not just use one of those…

  • donawalt's avatar
    donawalt
    Hero - Experienced User

    Wow so much for Google lol. In any case, if there are 3 other https choices, why spend time on this?

    • StephenB's avatar
      StephenB
      Guru - Experienced User
      donawalt wrote:

      if there are 3 other https choices, why spend time on this?

      No idea what Netgear is thinking.

       

      But this is way off the original question, which was about the key size error thrown by safari with the 870's routerlogin.net self-signed cert (which happens no matter what https method you use).

       

      If we're right in thinking that the problem is the validity date range, then safari users will have to use http with their 870 and perhaps other Orbi models (and hopefully NOT configure the router to only accept https).