Hoping someone has an idea on how to recreate or replace the SSL cert in a Netgear router. I am a Mac user using VPN Tracker, which is arguably the best VPN client on the Mac OS side. I have at least three clients with similar models of Netgear routers, and I have them all configured to use their built-in OpenVPN. This works fine when I set up the first router in my VPN client, and the configuration for VPN Tracker automatically adds the cert files to the Mac OS Keychain. Unfortunately when I try to add a second configuraiotn for another client's Netgear router, the cert cannot be added to the keychain because it is considered to be the exact same cert by the Keychain (same ID and serial no). WIth no cert specified, the configuration is not valid and won't connect.
VPN Tracker support looked into this and it appears to be one of those things where I am the only one with this problem to date ;-( but here is what they determined:
"We found the problem but I'm afraid there's not a good/easy solution for this. The very short version is that Netgear violates the standard (RFC 5280) which makes their certificates collide with each other. Because of this, the macOS keychain is not able to tell that they are different."
They then referenced a forum entry on Spiceworks wherein someone was provided "special Instucionts" for replacing the SSL cert by a Netgear tech:
"We found a forum entry where a user had the problem that he needed to replace the VPN certificate on a Netgear Nighthawk R7000, which isn't officially supported, yet Netgear replied and sent him some "secret instructions" that they don't seem to share in public. If it is possible to change certificates somehow, this is something which can be used to fix this issue by just creating an alternative certificate on one of your two devices. So please contact Netgear about how to replace the certificates (since we're not Netgear customers they do not respond to us, unfortunately)."
So I guess my question is, is there a way to replace the VPN certificate on any recent Netgear router running OpenVPN so that I can have three unique certificates and therefore be able to create three configutations in VPN Tracker? Any insights are most appreciated, and Netgear phone and chat support had no solution for me other that to delete and recreate each config in my VPN client whenever I want to make a new conection.
I had a similar question a year ago for the RAX35 and RAX40 routers. I never got a answer.
I tried different ways to force the creation of a new server (router) certificate and related client certificate but was never successful. It appeared the certificate is fixed on the router.
This means if a device is stolen or the client certificate gets in the wrong hands then you might as well disable the Netgear's built-in OpenVPN as you cannot revoke/invalidate the client certificate and you cannot generate a new pair of server/client certificates. Obviously Netgear has no business utilizing such a flawed implementaion of OpenVPN since this is not a secure implentation.
If you get a response that explains how to do this please let me know. Thanks.
Thanks for the info, I hadn't even considered the security ramifications of this, only the annoyance factor. So far Netgear support has instructed me to change the port numbers for TUN and TAP on the router and then generate a new set of credentials, but that has nothing to do with the cert so I am not sure they even understood the question. The tech did ask for my phone no. and if he calls I wlll update this thread. Attached is what the Mac OS Keychain app shows when the Netgear certs are auto-added to it by my VPN client.
