NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Can you install a trusted SSL certificate on the NAS?
I have read all the posts about surpressing the self issued certificate, but does anyone know if a Trusted SSL Certificate (purchased from Godaddy.com for example) can be installed on a ReadyNAS NV+? ...
Hello to the forum,
I might be a newby belonging to ReadyNAS, but i think, it is not the big problem to use SSL certificates others then the selfsigned from the NAS itself.
I am using certificates for free from CAcert (https://www.cacert.org) for the most of my devices (webserver, webmail, ReadyNAS, ...). CAcert is an organisation that aims to provide free certificates for evereyone, without any costs, just have a look at the site and become a member to use it. CAcert has no root cert in the browsers today, so you have to add the CAcert root into your favorite browser, as you can do it with the original ReadyNAS cert following the post of markwilson.
Take this howto as a proof of concept and keep in mind, that if you are using more then one device with SSL certificates you only have to add one root cert into your browser... :roll:
May be this will work with commercial trusted certificates too, but i don't use them so i cannot say...
Before we start: I will not to be hold responsible if anything goes wrong with you and your NAS or data if you follow this howto.
It works for me but may be it will not work with your version of NAS.
If you change data on your NAS following this lines, allways keep in mind to make a backup first!
Read all of this howto before you start working and be sure that you understand what you are doing!
It did not happen to me but it may be that soething goes wrong and you have to do a factory reset with loosing all of your data or, even worse, you have to contact Netgear support an tell them, what you have done.
Again: I will not be responsible for this... :shock:
First of all you have to get root access via SSH to the box. How to do this is written several times so use the search if you don't know.
You then have to download the CAcert root certificate from http://www.cacert.org/certs/class3.crt. Just use wget to save it into /etc/ssl on your NAS:
A well documented config file for OpenSSL exists in /etc/ssl/openssl.cnf. You have to change some things in this file to correct pathes and filenames used. Open the file with vi and change the corresponding, marked with >>> lines to:
Next step is to create an own private key for the NAS. Type in
to create it into the dircetory /etc/ssl/private. You will be asked for a passphrase, rember this!
To make the apache on the NAS use the certificate later on without that the user has to enter the passphrase, just form the private key:
Now qe are ready to create the request for the certificate:
You will have to answer some questions, a template is written in the config file /etc/ssl/openssl.cnf, if you have questions on them, have a look on this well documented file.
The former step created a request file into /etc/ssl. You have to copy the content oif this file and paste it into the corresponding form on the CAcert website. You will get the content of the certificate as an answer on the site. Copy the text and save it into a file /etc/ssl/certs/ReadyNASCert.pem.
We don't want to change anything at the apache configuration (ok, i don't want to explain how to do this, so we use an easier way... 8) ).
Apache on the NAS reads the SSL certificate and private key from a combined file /etc/frontview/apache/apache.pem. Make a backup of this file and fill in the content of your private key first and the content of the newly created certificate. After saving and leaving vi by typing ":wq", you have to restart the apache:
If you open your NAS page in your browser now, you will see it is using a CAcert signed certificate. And don't be irritated, if you get an error message concerning a broken certificate: You first will have to add the root cert into your browser, see the former posting by markwilson.
As i said above: This alls seems to be usable with other CAs, wether they are commercial or enterprise internal ones. You just will have to change some special things like root certs or according entries in the config file but this should not be too complicate.
Hope all wents well for you and your NAS
Regards from a snowy Germany
Dirk
I might be a newby belonging to ReadyNAS, but i think, it is not the big problem to use SSL certificates others then the selfsigned from the NAS itself.
I am using certificates for free from CAcert (https://www.cacert.org) for the most of my devices (webserver, webmail, ReadyNAS, ...). CAcert is an organisation that aims to provide free certificates for evereyone, without any costs, just have a look at the site and become a member to use it. CAcert has no root cert in the browsers today, so you have to add the CAcert root into your favorite browser, as you can do it with the original ReadyNAS cert following the post of markwilson.
Take this howto as a proof of concept and keep in mind, that if you are using more then one device with SSL certificates you only have to add one root cert into your browser... :roll:
May be this will work with commercial trusted certificates too, but i don't use them so i cannot say...
Before we start: I will not to be hold responsible if anything goes wrong with you and your NAS or data if you follow this howto.
It works for me but may be it will not work with your version of NAS.
If you change data on your NAS following this lines, allways keep in mind to make a backup first!
Read all of this howto before you start working and be sure that you understand what you are doing!
It did not happen to me but it may be that soething goes wrong and you have to do a factory reset with loosing all of your data or, even worse, you have to contact Netgear support an tell them, what you have done.
Again: I will not be responsible for this... :shock:
First of all you have to get root access via SSH to the box. How to do this is written several times so use the search if you don't know.
You then have to download the CAcert root certificate from http://www.cacert.org/certs/class3.crt. Just use wget to save it into /etc/ssl on your NAS:
cd /etc/ssl
wget http://www.cacert.org/certs/class3.crt
A well documented config file for OpenSSL exists in /etc/ssl/openssl.cnf. You have to change some things in this file to correct pathes and filenames used. Open the file with vi and change the corresponding, marked with >>> lines to:
[ CA_default ]
>>>dir = /etc/ssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
>>>certificate = $dir/class3.crt # The CA certificate
serial = $dir/serial # The current serial number
#crlnumber = $dir/crlnumber # the current crl number must be
crl = $dir/crl.pem # The current CRL
>>>private_key = $dir/private/ReadyNAS_caCertwithoutPW.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
>>>#name_opt = ca_default # Subject Name options
>>>#cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
Next step is to create an own private key for the NAS. Type in
openssl genrsa -des3 -out private/ReadyNAS_caCert.pem 1024
to create it into the dircetory /etc/ssl/private. You will be asked for a passphrase, rember this!
To make the apache on the NAS use the certificate later on without that the user has to enter the passphrase, just form the private key:
openssl rsa -in private/ReadyNAS_caCert.pem -out private/ReadyNAS_caCertwithoutPW.pem
Now qe are ready to create the request for the certificate:
openssl req -new -key private/ReadyNAS_caCertwithoutPW.pem -out ReadyNASReq.pem
You will have to answer some questions, a template is written in the config file /etc/ssl/openssl.cnf, if you have questions on them, have a look on this well documented file.
The former step created a request file into /etc/ssl. You have to copy the content oif this file and paste it into the corresponding form on the CAcert website. You will get the content of the certificate as an answer on the site. Copy the text and save it into a file /etc/ssl/certs/ReadyNASCert.pem.
We don't want to change anything at the apache configuration (ok, i don't want to explain how to do this, so we use an easier way... 8) ).
Apache on the NAS reads the SSL certificate and private key from a combined file /etc/frontview/apache/apache.pem. Make a backup of this file and fill in the content of your private key first and the content of the newly created certificate. After saving and leaving vi by typing ":wq", you have to restart the apache:
mv /etc/frontview/apache/apache.pem /etc/frontview/apache/apache.pem.orig
vi /etc/frontview/apache/apache.pem
killall apache-ssl
/usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf
If you open your NAS page in your browser now, you will see it is using a CAcert signed certificate. And don't be irritated, if you get an error message concerning a broken certificate: You first will have to add the root cert into your browser, see the former posting by markwilson.
As i said above: This alls seems to be usable with other CAs, wether they are commercial or enterprise internal ones. You just will have to change some special things like root certs or according entries in the config file but this should not be too complicate.
Hope all wents well for you and your NAS
Regards from a snowy Germany
Dirk
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
