NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
ceebee6cc
Jul 08, 2026Tutor
Accessing orbilogin.local shows an error "certificate is using a broken key size" in Safari MacOS
The attached screen shot shows the error when trying to access the admin interface at orbilogin.local on my network using Safari in MacOS Sequoia.
It seems to be related to another Netgear domain:
routerlogin.net
Issued by: routerlogin.net
Expires: Sunday, 8 October 2124 at 08:55:21 British
Summer Time
@ "routerlogin.net" certificate is using a broken key size
Apart from setting to "Always Trust" which I'm loath to do, is there a workaround for this certificate issue? Neither the Netgear forums nor a Google search give anything particularly relevant.
TIA
Chris
12 Replies
- StephenBGuru - Experienced User
ceebee6cc wrote:
is there a workaround for this certificate issue?
Try logging in as using Orbi's IP address instead of the URL. (easiest to use the ipv4 address).
FWIW, I am not seeing this issue with Chrome on a Windows PC.
Thanks for replying. You should see Chrome complain if you try either of these links
or
It will of course not show a certificate error if you simply use http:// rather than https:// but I'd prefer to find out what the Netgear certificate is so badly broken.
(I can't use IPv6 either as it's also broken in the current firmware release)
- StephenBGuru - Experienced User
ceebee6cc wrote:
Thanks for replying. You should see Chrome complain if you try either of these links
https://<your IPv4 address>
or
https://orbilogin.localBoth connect for me with no problems. I tried Chrome, Edge and Firefox (being careful to use https).
Of course I do need to click through the certificate warning - that is expected with a self-signed cert. But no errors related to the key size.
Note I am using a Windows PC.
FWIW, routerlogin.net's certificate looks fine to me.
- signature algorithm of SHA-256 with RSA Encryption
- RSA key length is 2048 bits
- fingerprints are SHA-256
These meet current security standards, and shouldn't create any issues with Safari or other modern browsers.
The 10 year validity period ( 21 Jan 2026 - 19 Jan 2036) might be the problem. Apple says they want 825 days or less. But this has been out there for some time, and I would have expected to see more complaints if this happened with every safari user.
ceebee6cc wrote:
Issued by: routerlogin.net
Expires: Sunday, 8 October 2124 at 08:55:21 British
Summer TimeI am seeing a different expiration date, so I am thinking that somehow you might not be getting the correct cert.
Have you tried
- clearing the Safari Cache and data?
- disabling any VPN that is enabled
- turning off iCloud Private Relay (if you use it)
donawalt : Are you seeing this issue with Safari (using https://)
Thanks for checking. It’s not going to cause me sleepless nights, so I’ll leave it as just “one of those things”. It doesn’t impact the actual security of the connection internally but appreciate you checking.
- donawaltHero - Experienced User
I think there may actually be two different issues here.
First, orbilogin.local doesn’t appear to be a generally supported access method on current Orbi models. I tested it on an Orbi 970 from both macOS and Windows, and it doesn’t resolve at all (ping orbilogin.local fails, and Bonjour/mDNS doesn’t advertise that name). However, orbilogin.com, routerlogin.net, and the router’s LAN IP all work normally. So you could use https://192.168.1.1, https://orbilogin.net, or https://orbilogin.com to access the router, albeit going through the certificate warning first.
Interestingly, Netgear’s documentation almost always references orbilogin.com and routerlogin.net. I searched netgear.com via Google, the only Netgear.com reference I could find on the whole site that mentions orbilogin.local is for the Orbi 770 series, not the 870 or any other router. That makes me wonder whether .local is only implemented on the 770 - or that even that reference could be an error. Since ceebee6cc has an 870 system, and mine is a 970, I really don't think orbilogin.local is supported at all in those routers' firmware.
The certificate warning is probably a separate issue. As others have implied, current versions of Safari are much stricter about older self-signed certificates than they used to be. I also receive a certificate warning when accessing my Orbi over HTTPS by IP, orbilogin.net or by orbilogin.com, but after accepting the warning the admin page loads normally.
Does https://orbilogin.com, https://routerlogin.net, or https://192.168.1.1 work for you? If they do, I’d be inclined to ignore orbilogin.local unless Netgear specifically says the 870 should support it. I don't think it does.
- FURRYe38Guru - Experienced User
routerlogin.net is mostly supported on Nighthawk router systems. Orbi uses orbilogin.com or router IPv4 IP address. Which I mostly use is the IP address on my 870 series all the time.
Ya, you'll get cert warnings on most newer browsers. One you accept the warning, you won't see it. Been like this for years. Browser security tag back and forth.
- StephenBGuru - Experienced User
donawalt wrote:
First, orbilogin.local doesn’t appear to be a generally supported access method on current Orbi models. I tested it on an Orbi 970 from both macOS and Windows, and it doesn’t resolve at all (ping orbilogin.local fails, and Bonjour/mDNS doesn’t advertise that name).
As I said in my earlier post, I was able to connect using orbilogin.local to my own Orbi 870.
Ping resolves it to a link-local ipv6 address
Pinging orbilogin.local [fe80::5607:7dff:fe20:2aed%17] with 32 bytes of data: Reply from fe80::5607:7dff:fe20:2aed%17: time=4ms Reply from fe80::5607:7dff:fe20:2aed%17: time=1ms Reply from fe80::5607:7dff:fe20:2aed%17: time=2ms Reply from fe80::5607:7dff:fe20:2aed%17: time=2msPowershell also shows the ipv4 address of my router
Resolve-DNSName -Name orbilogin.local Name Type TTL Section IPAddress ---- ---- --- ------- --------- orbilogin.local AAAA 4500 Answer fe80::5607:7dff:fe20:2aed orbilogin.local A 4500 Answer 10.0.0.1 orbilogin.local AAAA 4500 Answer fe80::5607:7dff:fe20:2aed orbilogin.local A 4500 Answer 10.0.0.1mDNS is not advertising the name - at least neither of the mDNS viewers I tried found it. (One running on a windows PC, the other running on my iPhone). So this has to be coming from the Orbi's DNS resolver (the PC resolver is set to 10.0.0.1 by DHCP).
Oddly, when I look at the certificate for https://10.0.0.1, , the common name of the self-signed cert is routerlogin.net (which is also what ceebee6cc is also seeing).
FWIW, both ipv6 and UPnP are disabled in the router.
- HappyCatApprentice
I did not realize that orbilogin.local is one of the URL's that Orbi routers intercept and provide their own IP address for (rather than perform DNS lookup.)
- donawaltHero - Experienced User
Since it’s not mentioned anywhere on the NETGEAR website other than one obscure place, I have to believe this is just an artifact from the past that may or may not work based on the network and configuration. Since they’re at least three other HTTPS alternatives that are documented and that can be used with HTTPS, why not just use one of those…
- StephenBGuru - Experienced User
donawalt wrote:
why not just use one of those
Personally I just use http://10.0.0.1
The question here was really centered on the key-size error ceebee6cc got.
donawalt wrote:
Since it’s not mentioned anywhere on the NETGEAR website other than one obscure place
Sorry, not the case.
I see five KB articles
- https://kb.netgear.com/31017/How-do-I-set-up-my-Orbi-WiFi-System (in the "using a web browser")
- https://kb.netgear.com/31142/Why-can-t-I-access-orbilogin-com-or-orbilogin-local
- https://kb.netgear.com/24830/How-do-I-use-access-control-to-allow-or-block-devices-from-accessing-the-Internet-on-my-Nighthawk-router-or-Orbi-system
- https://kb.netgear.com/24220/How-to-reset-your-NETGEAR-router-admin-password
- https://kb.netgear.com/000070386/How-do-I-reserve-an-IP-address-on-my-Orbi-WiFi-system
Also 97 references in the 870 manual (though they incorrectly qualify use to MacOS and iOS only, and it definitely works for Windows).
Plus 97 more in the 370 series manual...
It looks like Netgear might be switching slowly to .local, since the two newest Orbi families both have it.
- donawaltHero - Experienced User
Wow so much for Google lol. In any case, if there are 3 other https choices, why spend time on this?
- StephenBGuru - Experienced User
donawalt wrote:
if there are 3 other https choices, why spend time on this?
No idea what Netgear is thinking.
But this is way off the original question, which was about the key size error thrown by safari with the 870's routerlogin.net self-signed cert (which happens no matter what https method you use).
If we're right in thinking that the problem is the validity date range, then safari users will have to use http with their 870 and perhaps other Orbi models (and hopefully NOT configure the router to only accept https).