Can you install a trusted SSL certificate on the NAS?

Not at this time.

Is there any plan for this in the near future? I need to make a game plan....

Any developments on this?

I don't NEED to have my boxes certified, but I would certainly love to make it happen...

I have been waiting all year for this to happen!

You may not be able to install a trusted cert on the NAS, but you can add the self-signed cert to the Trusted Root CA store on the clients.

Please excuse the blatant plug for my own site but I just did this and the details will shortly be available at http://www.markwilson.co.uk/blog/2008/11/trusting-a-self-signed-certificate-in-windows.htm

Hello to the forum,

I might be a newby belonging to ReadyNAS, but i think, it is not the big problem to use SSL certificates others then the selfsigned from the NAS itself.

I am using certificates for free from CAcert (https://www.cacert.org) for the most of my devices (webserver, webmail, ReadyNAS, ...). CAcert is an organisation that aims to provide free certificates for evereyone, without any costs, just have a look at the site and become a member to use it. CAcert has no root cert in the browsers today, so you have to add the CAcert root into your favorite browser, as you can do it with the original ReadyNAS cert following the post of markwilson.

Take this howto as a proof of concept and keep in mind, that if you are using more then one device with SSL certificates you only have to add one root cert into your browser... :roll:

May be this will work with commercial trusted certificates too, but i don't use them so i cannot say...

Before we start: I will not to be hold responsible if anything goes wrong with you and your NAS or data if you follow this howto.
It works for me but may be it will not work with your version of NAS.
If you change data on your NAS following this lines, allways keep in mind to make a backup first!
Read all of this howto before you start working and be sure that you understand what you are doing!
It did not happen to me but it may be that soething goes wrong and you have to do a factory reset with loosing all of your data or, even worse, you have to contact Netgear support an tell them, what you have done.

Again: I will not be responsible for this... :shock:

First of all you have to get root access via SSH to the box. How to do this is written several times so use the search if you don't know.

You then have to download the CAcert root certificate from http://www.cacert.org/certs/class3.crt. Just use wget to save it into /etc/ssl on your NAS:

cd /etc/ssl
wget http://www.cacert.org/certs/class3.crt

A well documented config file for OpenSSL exists in /etc/ssl/openssl.cnf. You have to change some things in this file to correct pathes and filenames used. Open the file with vi and change the corresponding, marked with >>> lines to:

[ CA_default ]

>>>dir             = /etc/ssl         # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.

>>>certificate     = $dir/class3.crt       # The CA certificate
serial          = $dir/serial           # The current serial number
#crlnumber      = $dir/crlnumber        # the current crl number must be

crl             = $dir/crl.pem          # The current CRL
>>>private_key     = $dir/private/ReadyNAS_caCertwithoutPW.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
>>>#name_opt        = ca_default            # Subject Name options
>>>#cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

Next step is to create an own private key for the NAS. Type in

openssl genrsa -des3 -out private/ReadyNAS_caCert.pem 1024

to create it into the dircetory /etc/ssl/private. You will be asked for a passphrase, rember this!

To make the apache on the NAS use the certificate later on without that the user has to enter the passphrase, just form the private key:

openssl rsa -in private/ReadyNAS_caCert.pem -out private/ReadyNAS_caCertwithoutPW.pem

Now qe are ready to create the request for the certificate:

openssl req -new -key private/ReadyNAS_caCertwithoutPW.pem -out ReadyNASReq.pem

You will have to answer some questions, a template is written in the config file /etc/ssl/openssl.cnf, if you have questions on them, have a look on this well documented file.

The former step created a request file into /etc/ssl. You have to copy the content oif this file and paste it into the corresponding form on the CAcert website. You will get the content of the certificate as an answer on the site. Copy the text and save it into a file /etc/ssl/certs/ReadyNASCert.pem.

We don't want to change anything at the apache configuration (ok, i don't want to explain how to do this, so we use an easier way... 8) ).
Apache on the NAS reads the SSL certificate and private key from a combined file /etc/frontview/apache/apache.pem. Make a backup of this file and fill in the content of your private key first and the content of the newly created certificate. After saving and leaving vi by typing ":wq", you have to restart the apache:

mv /etc/frontview/apache/apache.pem /etc/frontview/apache/apache.pem.orig
vi /etc/frontview/apache/apache.pem
killall apache-ssl
/usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf

If you open your NAS page in your browser now, you will see it is using a CAcert signed certificate. And don't be irritated, if you get an error message concerning a broken certificate: You first will have to add the root cert into your browser, see the former posting by markwilson.

As i said above: This alls seems to be usable with other CAs, wether they are commercial or enterprise internal ones. You just will have to change some special things like root certs or according entries in the config file but this should not be too complicate.

Hope all wents well for you and your NAS

Regards from a snowy Germany

Dirk

dja,

Your instructions were spot on and to confirm you CAN install a trusted SSL certificate this way. Just installed a godaddy SSL cert without a problem at all. No annoying IE or Firefox untrusted website windows any more!

Only changes to the above instructions are that godaddy requires you to create the private key first then once the request is approved on their website they let you download their cert bundle and your newly issued ssl cert.

The only code change required is in '/etc/ssl/openssl.cnf' and is the cert bundle name marked below by >>> (obviously don't put >>> in), which in godaddy's case is 'gd_bundle.crt'. Just put it in the '/etc/ssl' directory instead of the 'class3.crt' in the instructions above.

####################################################################
[ CA_default ]

dir             = /etc/ssl              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

>>>certificate     = $dir/gd_bundle.crt    # The CA certificate

Thanks for your guide on this.

Dizlem

Hi dja,

I followed your guide and tried to get ssl certificate from https://www.cacert.org/
However, I got following error message
---------------------------------------------------------------------------------

Please make sure the following details are correct before proceeding any further.

No additional information will be included on certificates because it can not be automatically checked by the system.

The following hostnames were rejected because the system couldn't link them to your account, if they are valid please verify the domains against your account.
Rejected: zhi.homeip.net

---------------------------------------------------------------------------------

In order to verify the domain, zhi.homeip.net, it will send out a email to root@zhi.homeip.net, but i don't have mail server in my readynas duo....So, I am wondering how did you get around this problem?

Thanks

Ok.. now we're getting somewhere.

I realise I'm about to go a wee bit beyond the scope of this topic, but what if you could be your own CA? Let's look at this from a closed network model. Let's say you've a completely self-contained network, and you want to be able to assure secure and encrypted communication between two points on that network. Currently, using an SSL certificate requires that certificate to be authenticated against a CA *OUTSIDE* that network. Setting aside our tin foil hats, it defeats the purpose of a self-contained network. If you're able to install your own root CA cert and authenticate against your own CA *internally*... does anyone see where I'm going here? Now, you may ask what's the point? Well, I'm looking at setting up an open source SSL VPN to be able to tunnel into my network from outside, as well as encrypt wireless traffice with a certificate. I live in a fairly dense urban area, and the knowledge required to pop my WPA2 is out there, freely available to anyone who knows how to google "backtrack".

If I'm in the wrong area.. and you know where I should be looking, please assist. Sure I can google for hours to find all the information and peice it together, but my brain hurts after a few hours of trying to make sense of all this. I clearly don't have a "beautiful mind".

Thanks folks!

dizlem wrote:

dja, Your instructions were spot on and to confirm you CAN install a trusted SSL certificate this way. Just installed a godaddy SSL cert without a problem at all. No annoying IE or Firefox untrusted website windows any more! Only changes to the above instructions are that godaddy requires you to create the private key first then once the request is approved on their website they let you download their cert bundle and your newly issued ssl cert. The only code change required is in '/etc/ssl/openssl.cnf' and is the cert bundle name marked below by >>> (obviously don't put >>> in), which in godaddy's case is 'gd_bundle.crt'. Just put it in the '/etc/ssl' directory instead of the 'class3.crt' in the instructions above. #################################################################### [ CA_default ] dir = /etc/ssl # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. >>>certificate = $dir/gd_bundle.crt # The CA certificate Thanks for your guide on this. Dizlem

When generating a trusted SSL certificate, that certificate will coupled to 1 IP address (or a name representing one IP address), right?

I'm thinking of generating a certificate for my external NAS IP address. That would bypass the certificate issues when accessing my NAS through its external IP address. However: if I for example want to access Frontview admin locally (internal IP address) I would run into problems because the certificate was issued for its external IP address. Is this correct? Are you experiencing this behavior dizlem?

Is it possible for 1 certificate to be active for multiple IP addresses (in this case my external and internal NAS IP addresses).

Thanks