NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Can you install a trusted SSL certificate on the NAS?
I have read all the posts about surpressing the self issued certificate, but does anyone know if a Trusted SSL Certificate (purchased from Godaddy.com for example) can be installed on a ReadyNAS NV+? ...
The "[ CA_default ]" section of the openssl config is only used if you are using the ca function in openssl, the generation of a private key and CSR has nothing to do with this.
The "[ req ]" section deals with certificate request/public cert.
The line with "openssl genrsa" is creating the private key. The creation of the CSR only relies on the private key and the cert Subject info either from the command line of the openssl.cnf file being used, nothing about the Certificate Authority's certificate chain.
Once the CSR (Certificate Signing request) is generated this is submitted to the CA (Certificate Authority) like Verisign, GoDaddy or what ever CA you are going to use. Once the CA signs the CSR you get back your public cert signed by the CA.
This signature on your public cert links it to the CA. This is where the CA's certificate chain/bundle comes in. The certificate chain is used by the web server to give the browser the info establishing it validity.
With these three files you define in Apache SSLCertificateFile pointing to the public cert you get back from the CA, SSLCertificateKeyFile pointing to the private key file you first generated and SSLCertificateChainFile pointing to the CA's certificate chain/bundle.
With this set up when you connect with a browser this is what happens.
1) The browser makes a connection to the server/NAS and initiates an SSL handshake.
2) The server presents its public key and the CA certificate chain.
3) The browser validates your public certificate by looking in its trust store using to see if your public cert or one of the certs in the chain is.
4) If it is trusted the browser generates a temporary key that it send back to the server encrypting it with your public key.
5) The server/NAS decrypts the public key the browser sent using your private key and responds to the browser with a message encrypted with the temporary browser public cert.
6) At this point you have established a SSL connection from the browser to the server/NAS.
7) The browser now continues the normal HTTP request over this SSL connection.
With the certificate that is generated by default on the NAS it fails at step 3.
As for renewing a certificate all you need to do is generate a new CSR from the existing private key and submit it to your CA of choice. Once you get the cert back from the CA make a copy of your existing cert and then replace the original with the new cert and restart Apache or force a reload by sending a HUP signal to its process.
The "[ req ]" section deals with certificate request/public cert.
The line with "openssl genrsa" is creating the private key. The creation of the CSR only relies on the private key and the cert Subject info either from the command line of the openssl.cnf file being used, nothing about the Certificate Authority's certificate chain.
Once the CSR (Certificate Signing request) is generated this is submitted to the CA (Certificate Authority) like Verisign, GoDaddy or what ever CA you are going to use. Once the CA signs the CSR you get back your public cert signed by the CA.
This signature on your public cert links it to the CA. This is where the CA's certificate chain/bundle comes in. The certificate chain is used by the web server to give the browser the info establishing it validity.
With these three files you define in Apache SSLCertificateFile pointing to the public cert you get back from the CA, SSLCertificateKeyFile pointing to the private key file you first generated and SSLCertificateChainFile pointing to the CA's certificate chain/bundle.
With this set up when you connect with a browser this is what happens.
1) The browser makes a connection to the server/NAS and initiates an SSL handshake.
2) The server presents its public key and the CA certificate chain.
3) The browser validates your public certificate by looking in its trust store using to see if your public cert or one of the certs in the chain is.
4) If it is trusted the browser generates a temporary key that it send back to the server encrypting it with your public key.
5) The server/NAS decrypts the public key the browser sent using your private key and responds to the browser with a message encrypted with the temporary browser public cert.
6) At this point you have established a SSL connection from the browser to the server/NAS.
7) The browser now continues the normal HTTP request over this SSL connection.
With the certificate that is generated by default on the NAS it fails at step 3.
As for renewing a certificate all you need to do is generate a new CSR from the existing private key and submit it to your CA of choice. Once you get the cert back from the CA make a copy of your existing cert and then replace the original with the new cert and restart Apache or force a reload by sending a HUP signal to its process.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
