One advantage of open source firmware is the ability to use https for accessing the web based configuration tools (aka Web GUI). However, with Tomato USB there is no obvious option to upload a signed certificate. If you're running your own Home-CA, eg. by using XCA you want to sign it, so none of the browsers in your household complains about the selfsigned certificate of you router. I assume you have ssh access to your router, so you can copy files from and to the router by scp. First of all, you need to have “store tor NVRAM” enabled for your https certificate in the Tomato USB configuration. Now go to your favourite computer running a decent shell and copy two files to your working directory:
mkdir etc scp -p email@example.com;/etc/cert.pem etc/ scp -p firstname.lastname@example.org;/etc/key.pem etc/
Now import then into your CA, make a “similar” certificate possibly with the key key.pem as provided by Tomate USB and sign it with your CA. Now put it pack to your working directory and replace cert.pem. Now copy them back to your router (this can most probably skipped, as you need to reboot your router anyway);
scp -p etc/cert.pm email@example.com:/etc/
For storing this into the NVRAM, you have to create the right configuration by this:
tar -czf - etc/cert.pem etc/key.pem | base64 -w 0
Use the resulting string as parameter for https_cert_file in Tomato USBs NVRAM setting, applying with (on your Router!):
nvram set https_crt_file="..." nvram commit reboot
where the dots … have to be replaced by the output gained above1).
The need to have a natting router came from that damn O2 Homebox 6641 which apparently does not allow switches connected to its ethernetport. Every time I connect more then one device (i.e. Linux Laptop, Mac Laptop, Linux Raspberry Pi) by a simple 1GB home-use HUB/Switch made by TPLink, all connections were interrupted until I rebooted that silly thing.
/usr/sbin/robocfg showports /usr/sbin/robocfg port 4 media 100FD