I have read all the posts about surpressing the self issued certificate, but does anyone know if a Trusted SSL Certificate (purchased from Godaddy.com for example) can be installed on a ReadyNAS NV+?I want to allow client login for file sharing via HTTPS and the warning looks hoaky from the outside. Anybody?

dja,Your instructions were spot on and to confirm you CAN install a trusted SSL certificate this way. Just installed a godaddy SSL cert without a problem at all. No annoying IE or Firefox untrusted website windows any more!Only changes to the above instructions are that godaddy requires you to create the private key first then once the request is approved on their website they let you download their cert bundle and your newly issued ssl cert.The only code change required is in '/etc/ssl/openssl.cnf' and is the cert bundle name marked below by >>> (obviously don't put >>> in), which in godaddy's case is 'gd_bundle.crt'. Just put it in the '/etc/ssl' directory instead of the 'class3.crt' in the instructions above.####################################################################[ CA_default ]dir = /etc/ssl # Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.#unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject.new_certs_dir = $dir/newcerts # default place for new certs.>>>certificate = $dir/gd_bundle.crt # The CA certificateThanks for your guide on this.Dizlem

Hello to the forum,I might be a newby belonging to ReadyNAS, but i think, it is not the big problem to use SSL certificates others then the selfsigned from the NAS itself.I am using certificates for free from CAcert (https://www.cacert.org) for the most of my devices (webserver, webmail, ReadyNAS, ...). CAcert is an organisation that aims to provide free certificates for evereyone, without any costs, just have a look at the site and become a member to use it. CAcert has no root cert in the browsers today, so you have to add the CAcert root into your favorite browser, as you can do it with the original ReadyNAS cert following the post of markwilson.Take this howto as a proof of concept and keep in mind, that if you are using more then one device with SSL certificates you only have to add one root cert into your browser... :roll: May be this will work with commercial trusted certificates too, but i don't use them so i cannot say...Before we start: I will not to be hold responsible if anything goes wrong with you and your NAS or data if you follow this howto. It works for me but may be it will not work with your version of NAS. If you change data on your NAS following this lines, allways keep in mind to make a backup first! Read all of this howto before you start working and be sure that you understand what you are doing! It did not happen to me but it may be that soething goes wrong and you have to do a factory reset with loosing all of your data or, even worse, you have to contact Netgear support an tell them, what you have done. Again: I will not be responsible for this... :shock: First of all you have to get root access via SSH to the box. How to do this is written several times so use the search if you don't know.You then have to download the CAcert root certificate from http://www.cacert.org/certs/class3.crt. Just use wget to save it into /etc/ssl on your NAS:cd /etc/sslwget http://www.cacert.org/certs/class3.crtA well documented config file for OpenSSL exists in /etc/ssl/openssl.cnf. You have to change some things in this file to correct pathes and filenames used. Open the file with vi and change the corresponding, marked with >>> lines to: [ CA_default ]>>>dir = /etc/ssl # Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.new_certs_dir = $dir/newcerts # default place for new certs.>>>certificate = $dir/class3.crt # The CA certificateserial = $dir/serial # The current serial number#crlnumber = $dir/crlnumber # the current crl number must becrl = $dir/crl.pem # The current CRL>>>private_key = $dir/private/ReadyNAS_caCertwithoutPW.pem# The private keyRANDFILE = $dir/private/.rand # private random number filex509_extensions = usr_cert # The extentions to add to the cert# Comment out the following two lines for the "traditional"# (and highly broken) format.>>>#name_opt = ca_default # Subject Name options>>>#cert_opt = ca_default # Certificate field options# Extension copying option: use with caution.# copy_extensions = copyNext step is to create an own private key for the NAS. Type inopenssl genrsa -des3 -out private/ReadyNAS_caCert.pem 1024to create it into the dircetory /etc/ssl/private. You will be asked for a passphrase, rember this!To make the apache on the NAS use the certificate later on without that the user has to enter the passphrase, just form the private key:openssl rsa -in private/ReadyNAS_caCert.pem -out private/ReadyNAS_caCertwithoutPW.pemNow qe are ready to create the request for the certificate:openssl req -new -key private/ReadyNAS_caCertwithoutPW.pem -out ReadyNASReq.pemYou will have to answer some questions, a template is written in the config file /etc/ssl/openssl.cnf, if you have questions on them, have a look on this well documented file.The former step created a request file into /etc/ssl. You have to copy the content oif this file and paste it into the corresponding form on the CAcert website. You will get the content of the certificate as an answer on the site. Copy the text and save it into a file /etc/ssl/certs/ReadyNASCert.pem.We don't want to change anything at the apache configuration (ok, i don't want to explain how to do this, so we use an easier way... 8) ). Apache on the NAS reads the SSL certificate and private key from a combined file /etc/frontview/apache/apache.pem. Make a backup of this file and fill in the content of your private key first and the content of the newly created certificate. After saving and leaving vi by typing ":wq", you have to restart the apache:mv /etc/frontview/apache/apache.pem /etc/frontview/apache/apache.pem.origvi /etc/frontview/apache/apache.pemkillall apache-ssl/usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.confIf you open your NAS page in your browser now, you will see it is using a CAcert signed certificate. And don't be irritated, if you get an error message concerning a broken certificate: You first will have to add the root cert into your browser, see the former posting by markwilson.As i said above: This alls seems to be usable with other CAs, wether they are commercial or enterprise internal ones. You just will have to change some special things like root certs or according entries in the config file but this should not be too complicate.Hope all wents well for you and your NASRegards from a snowy GermanyDirk

Is there any plan for this in the near future? I need to make a game plan....

Any developments on this?I don't NEED to have my boxes certified, but I would certainly love to make it happen...

Can you install a trusted SSL certificate on the NAS?

21 Replies

Replies have been turned off for this discussion

sphardy1
Apprentice
Mar 16, 2010
FYI: have been able to install a trusted certificate on my NV+ much more simply than instructed previously

My domain registrar offers an 'auto csr' function from Globlsign that generates both a certificate and key file. By downloading those and 2 other certificate files from Globalsign I was able to install the certificate by adding the following settings to the apache configuration file and restarting apache:

SSLCACertificateFile <Globalsign root certificate from globalsign.com>
SSLCertificateChainFile <Globalsign intermediate certificate from globalsign.com>
SSLCertificateFile <mydomain certificate>
SSLCertificateKeyFile <my private key file>
Trial_Master
Aspirant
Jul 29, 2010
Guys I've just installed a Godaddy SSL which is working after following the instructions above. Question on SSL renewal, does the entire process have to be repeated or is there a shorter process?

Trial_Master

Aspirant

Feb 15, 2011

Trial_Master wrote:
Guys I've just installed a Godaddy SSL which is working after following the instructions above. Question on SSL renewal, does the entire process have to be repeated or is there a shorter process?

Trial_Master wrote:
Guys I've just installed a Godaddy SSL which is working after following the instructions above. Question on SSL renewal, does the entire process have to be repeated or is there a shorter process?

Anyone have some experience with SSL renewal process on ReadyNAS?

CharlesLaCour
Aspirant
Feb 15, 2011
The "[ CA_default ]" section of the openssl config is only used if you are using the ca function in openssl, the generation of a private key and CSR has nothing to do with this.

The "[ req ]" section deals with certificate request/public cert.

The line with "openssl genrsa" is creating the private key. The creation of the CSR only relies on the private key and the cert Subject info either from the command line of the openssl.cnf file being used, nothing about the Certificate Authority's certificate chain.

Once the CSR (Certificate Signing request) is generated this is submitted to the CA (Certificate Authority) like Verisign, GoDaddy or what ever CA you are going to use. Once the CA signs the CSR you get back your public cert signed by the CA.

This signature on your public cert links it to the CA. This is where the CA's certificate chain/bundle comes in. The certificate chain is used by the web server to give the browser the info establishing it validity.

With these three files you define in Apache SSLCertificateFile pointing to the public cert you get back from the CA, SSLCertificateKeyFile pointing to the private key file you first generated and SSLCertificateChainFile pointing to the CA's certificate chain/bundle.

With this set up when you connect with a browser this is what happens.
1) The browser makes a connection to the server/NAS and initiates an SSL handshake.
2) The server presents its public key and the CA certificate chain.
3) The browser validates your public certificate by looking in its trust store using to see if your public cert or one of the certs in the chain is.
4) If it is trusted the browser generates a temporary key that it send back to the server encrypting it with your public key.
5) The server/NAS decrypts the public key the browser sent using your private key and responds to the browser with a message encrypted with the temporary browser public cert.
6) At this point you have established a SSL connection from the browser to the server/NAS.
7) The browser now continues the normal HTTP request over this SSL connection.
With the certificate that is generated by default on the NAS it fails at step 3.

As for renewing a certificate all you need to do is generate a new CSR from the existing private key and submit it to your CA of choice. Once you get the cert back from the CA make a copy of your existing cert and then replace the original with the new cert and restart Apache or force a reload by sending a HUP signal to its process.
Trial_Master
Aspirant
Feb 15, 2011
That's brilliant thanks Charles. One question, following the instructions in this thread I didn't use the intermediate.crt but I see it mentioned in other documents. Should I be referring to it in openssl.cnf?

If so is it used as part of the signing process?
CharlesLaCour
Aspirant
Feb 15, 2011
You should not need to worry about the intermediate certificate unless you are going to issue your own certificates that are to be trusted through the CAs chain of trust. You can actually buy your own issuing certificate signed by the CAs intermediate certificate.

With a CA you usually have 3 certificates. Their root cert, intermediary cert and issuing certificate. If they only had a root certificate there would be a big issue with either having to replace your certificates signed by them every time the CA cert expired or risk their authority being hacked and the trust of their identity invalidated. What they do to minimize this hassle is to use their root certificate to sign a intermediate certificate and then use the intermediate certificate to sign an issuing certificate. This issuing certificate is used to sign your certificate.

Since the browser trusts the root cert and if it can walk the certificate chain from your certificate back to the root it will trust the server cert.

So the issuing certificate and intermediate certificate are there just to make the link from your certificate to the CA root certificate that is in your browsers certificate Trust store.
Trial_Master
Aspirant
Feb 15, 2011
Okay I think I get all of that. Everything seems to work fine without an intermediate certificate so I might leave things as they are.

You have been very, in fact extremely helpful and I have learnt a lot from your posts. Thank you very much I feel less stressed about my upcoming renewal process now I understand what need to be done.
Trial_Master
Aspirant
May 08, 2011
Hi Charles

Since I purchased an iPad2 I have noticed I get a security warning when logging into my ReadyNAS. From what I can find on the subject Apple uses the intermediate.crt. I would like to see if i can remove the security prompt on my iPad2 but I have no idea what additional steps are required to introduce a intermediate.crt.

I followed the steps in this thread to get my SSL cert installed and working and customised for Godaddy.
viewtopic.php?p=128092#p128092
viewtopic.php?p=143857#p143857

Are you in a position to assist? I have gd_intermediate which i think is the one required?
CharlesLaCour
Aspirant
May 08, 2011
The only thing I can think of to do is for you to email the GoDaddy Intermediate cert to your self and open it on the iPad. It should ask if you want to install it.
Trial_Master
Aspirant
May 09, 2011
I'll try that this evening. Thanks for your time.

Forum Discussion

Can you install a trusted SSL certificate on the NAS?

21 Replies

Related Content

Routerlogin.net certificate “not trusted”

Chrome Certificate

Error - Trust anchor for certification path not found

Installing third party SSL certificate?

Failures installing SSL certificate for TLS 1.2 (HTTPS) on M4300-52G-PoE+

NETGEAR Academy

ProSupport for Business