Sign the firmware image.

To use this the opkg package needs to be deselected.
opkg-smime package needs to be selected

CONFIG_PACKAGE_opkg-smime=y
-----------
A certificate needs to be created. Start by creating a file containing
the password.

echo "testing" >passkey.txt

Then create the cert with

openssl req -utf8 \
-newkey rsa:2048 \
-keyout privkey.pem \
-out req.pem  \
-passout file:passkey.txt \
-subj "/C=SE/ST=Stockholm/L=Skärholmen/O=Inteno/OU=broadband/CN=inteno.se"

openssl x509 -req -in req.pem \
-signkey privkey.pem \
-out cert.pem \
-passin file:passkey.txt \
-nameopt oneline,-esc_msb

you now have
  passkey.txt
  req.pem
  cert.pem
  privkey.pem

Then CONFIG_OPKGSMIME_CERT CONFIG_OPKGSMIME_KEY & CONFIG_OPKGSMIME_PASSFILE
needs to be set in openwrt .config

ex:
CONFIG_OPKGSMIME_CERT="/home/kenjo/proj/inteno/ssl/cert.pem"
CONFIG_OPKGSMIME_KEY="/home/kenjo/proj/inteno/ssl/privkey.pem"
CONFIG_OPKGSMIME_PASSFILE="/home/kenjo/proj/inteno/ssl/passkey.txt"

then rebuild.

If the cert is changed one have to clean and recompile opkg since
that package is putting the cert.pem file into the root filesystem and
it has no idea that we changed the config after it was compiled.
(that sucker cost me a lot of time as I was using the wrong cert on target)