Can you install a trusted SSL certificate on the NAS?

Not at this time.

Is there any plan for this in the near future? I need to make a game plan....

Any developments on this?

I don't NEED to have my boxes certified, but I would certainly love to make it happen...

I have been waiting all year for this to happen!

You may not be able to install a trusted cert on the NAS, but you can add the self-signed cert to the Trusted Root CA store on the clients.

Please excuse the blatant plug for my own site but I just did this and the details will shortly be available at http://www.markwilson.co.uk/blog/2008/11/trusting-a-self-signed-certificate-in-windows.htm

Hello to the forum,

I might be a newby belonging to ReadyNAS, but i think, it is not the big problem to use SSL certificates others then the selfsigned from the NAS itself.

I am using certificates for free from CAcert (https://www.cacert.org) for the most of my devices (webserver, webmail, ReadyNAS, ...). CAcert is an organisation that aims to provide free certificates for evereyone, without any costs, just have a look at the site and become a member to use it. CAcert has no root cert in the browsers today, so you have to add the CAcert root into your favorite browser, as you can do it with the original ReadyNAS cert following the post of markwilson.

Take this howto as a proof of concept and keep in mind, that if you are using more then one device with SSL certificates you only have to add one root cert into your browser... :roll:

May be this will work with commercial trusted certificates too, but i don't use them so i cannot say...

Before we start: I will not to be hold responsible if anything goes wrong with you and your NAS or data if you follow this howto.
It works for me but may be it will not work with your version of NAS.
If you change data on your NAS following this lines, allways keep in mind to make a backup first!
Read all of this howto before you start working and be sure that you understand what you are doing!
It did not happen to me but it may be that soething goes wrong and you have to do a factory reset with loosing all of your data or, even worse, you have to contact Netgear support an tell them, what you have done.

Again: I will not be responsible for this... :shock:

First of all you have to get root access via SSH to the box. How to do this is written several times so use the search if you don't know.

You then have to download the CAcert root certificate from http://www.cacert.org/certs/class3.crt. Just use wget to save it into /etc/ssl on your NAS:

cd /etc/ssl
wget http://www.cacert.org/certs/class3.crt

A well documented config file for OpenSSL exists in /etc/ssl/openssl.cnf. You have to change some things in this file to correct pathes and filenames used. Open the file with vi and change the corresponding, marked with >>> lines to:

[ CA_default ]

>>>dir             = /etc/ssl         # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.

>>>certificate     = $dir/class3.crt       # The CA certificate
serial          = $dir/serial           # The current serial number
#crlnumber      = $dir/crlnumber        # the current crl number must be

crl             = $dir/crl.pem          # The current CRL
>>>private_key     = $dir/private/ReadyNAS_caCertwithoutPW.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
>>>#name_opt        = ca_default            # Subject Name options
>>>#cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

Next step is to create an own private key for the NAS. Type in

openssl genrsa -des3 -out private/ReadyNAS_caCert.pem 1024

to create it into the dircetory /etc/ssl/private. You will be asked for a passphrase, rember this!

To make the apache on the NAS use the certificate later on without that the user has to enter the passphrase, just form the private key:

openssl rsa -in private/ReadyNAS_caCert.pem -out private/ReadyNAS_caCertwithoutPW.pem

Now qe are ready to create the request for the certificate:

openssl req -new -key private/ReadyNAS_caCertwithoutPW.pem -out ReadyNASReq.pem

You will have to answer some questions, a template is written in the config file /etc/ssl/openssl.cnf, if you have questions on them, have a look on this well documented file.

The former step created a request file into /etc/ssl. You have to copy the content oif this file and paste it into the corresponding form on the CAcert website. You will get the content of the certificate as an answer on the site. Copy the text and save it into a file /etc/ssl/certs/ReadyNASCert.pem.

We don't want to change anything at the apache configuration (ok, i don't want to explain how to do this, so we use an easier way... 8) ).
Apache on the NAS reads the SSL certificate and private key from a combined file /etc/frontview/apache/apache.pem. Make a backup of this file and fill in the content of your private key first and the content of the newly created certificate. After saving and leaving vi by typing ":wq", you have to restart the apache:

mv /etc/frontview/apache/apache.pem /etc/frontview/apache/apache.pem.orig
vi /etc/frontview/apache/apache.pem
killall apache-ssl
/usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf

If you open your NAS page in your browser now, you will see it is using a CAcert signed certificate. And don't be irritated, if you get an error message concerning a broken certificate: You first will have to add the root cert into your browser, see the former posting by markwilson.

As i said above: This alls seems to be usable with other CAs, wether they are commercial or enterprise internal ones. You just will have to change some special things like root certs or according entries in the config file but this should not be too complicate.

Hope all wents well for you and your NAS

Regards from a snowy Germany

Dirk

dja,

Your instructions were spot on and to confirm you CAN install a trusted SSL certificate this way. Just installed a godaddy SSL cert without a problem at all. No annoying IE or Firefox untrusted website windows any more!

Only changes to the above instructions are that godaddy requires you to create the private key first then once the request is approved on their website they let you download their cert bundle and your newly issued ssl cert.

The only code change required is in '/etc/ssl/openssl.cnf' and is the cert bundle name marked below by >>> (obviously don't put >>> in), which in godaddy's case is 'gd_bundle.crt'. Just put it in the '/etc/ssl' directory instead of the 'class3.crt' in the instructions above.

####################################################################
[ CA_default ]

dir             = /etc/ssl              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

>>>certificate     = $dir/gd_bundle.crt    # The CA certificate

Thanks for your guide on this.

Dizlem

Hi dja,

I followed your guide and tried to get ssl certificate from https://www.cacert.org/
However, I got following error message
---------------------------------------------------------------------------------

Please make sure the following details are correct before proceeding any further.

No additional information will be included on certificates because it can not be automatically checked by the system.

The following hostnames were rejected because the system couldn't link them to your account, if they are valid please verify the domains against your account.
Rejected: zhi.homeip.net

---------------------------------------------------------------------------------

In order to verify the domain, zhi.homeip.net, it will send out a email to root@zhi.homeip.net, but i don't have mail server in my readynas duo....So, I am wondering how did you get around this problem?

Thanks

Ok.. now we're getting somewhere.

I realise I'm about to go a wee bit beyond the scope of this topic, but what if you could be your own CA? Let's look at this from a closed network model. Let's say you've a completely self-contained network, and you want to be able to assure secure and encrypted communication between two points on that network. Currently, using an SSL certificate requires that certificate to be authenticated against a CA *OUTSIDE* that network. Setting aside our tin foil hats, it defeats the purpose of a self-contained network. If you're able to install your own root CA cert and authenticate against your own CA *internally*... does anyone see where I'm going here? Now, you may ask what's the point? Well, I'm looking at setting up an open source SSL VPN to be able to tunnel into my network from outside, as well as encrypt wireless traffice with a certificate. I live in a fairly dense urban area, and the knowledge required to pop my WPA2 is out there, freely available to anyone who knows how to google "backtrack".

If I'm in the wrong area.. and you know where I should be looking, please assist. Sure I can google for hours to find all the information and peice it together, but my brain hurts after a few hours of trying to make sense of all this. I clearly don't have a "beautiful mind".

Thanks folks!

dizlem wrote:

dja, Your instructions were spot on and to confirm you CAN install a trusted SSL certificate this way. Just installed a godaddy SSL cert without a problem at all. No annoying IE or Firefox untrusted website windows any more! Only changes to the above instructions are that godaddy requires you to create the private key first then once the request is approved on their website they let you download their cert bundle and your newly issued ssl cert. The only code change required is in '/etc/ssl/openssl.cnf' and is the cert bundle name marked below by >>> (obviously don't put >>> in), which in godaddy's case is 'gd_bundle.crt'. Just put it in the '/etc/ssl' directory instead of the 'class3.crt' in the instructions above. #################################################################### [ CA_default ] dir = /etc/ssl # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. >>>certificate = $dir/gd_bundle.crt # The CA certificate Thanks for your guide on this. Dizlem

When generating a trusted SSL certificate, that certificate will coupled to 1 IP address (or a name representing one IP address), right?

I'm thinking of generating a certificate for my external NAS IP address. That would bypass the certificate issues when accessing my NAS through its external IP address. However: if I for example want to access Frontview admin locally (internal IP address) I would run into problems because the certificate was issued for its external IP address. Is this correct? Are you experiencing this behavior dizlem?

Is it possible for 1 certificate to be active for multiple IP addresses (in this case my external and internal NAS IP addresses).

Thanks

FYI: have been able to install a trusted certificate on my NV+ much more simply than instructed previously

My domain registrar offers an 'auto csr' function from Globlsign that generates both a certificate and key file. By downloading those and 2 other certificate files from Globalsign I was able to install the certificate by adding the following settings to the apache configuration file and restarting apache:

SSLCACertificateFile <Globalsign root certificate from globalsign.com>
SSLCertificateChainFile <Globalsign intermediate certificate from globalsign.com>
SSLCertificateFile <mydomain certificate>
SSLCertificateKeyFile <my private key file>

Guys I've just installed a Godaddy SSL which is working after following the instructions above. Question on SSL renewal, does the entire process have to be repeated or is there a shorter process?

Trial_Master wrote:
Guys I've just installed a Godaddy SSL which is working after following the instructions above. Question on SSL renewal, does the entire process have to be repeated or is there a shorter process?

Anyone have some experience with SSL renewal process on ReadyNAS?

The "[ CA_default ]" section of the openssl config is only used if you are using the ca function in openssl, the generation of a private key and CSR has nothing to do with this.

The "[ req ]" section deals with certificate request/public cert.

The line with "openssl genrsa" is creating the private key. The creation of the CSR only relies on the private key and the cert Subject info either from the command line of the openssl.cnf file being used, nothing about the Certificate Authority's certificate chain.

Once the CSR (Certificate Signing request) is generated this is submitted to the CA (Certificate Authority) like Verisign, GoDaddy or what ever CA you are going to use. Once the CA signs the CSR you get back your public cert signed by the CA.

This signature on your public cert links it to the CA. This is where the CA's certificate chain/bundle comes in. The certificate chain is used by the web server to give the browser the info establishing it validity.

With these three files you define in Apache SSLCertificateFile pointing to the public cert you get back from the CA, SSLCertificateKeyFile pointing to the private key file you first generated and SSLCertificateChainFile pointing to the CA's certificate chain/bundle.

With this set up when you connect with a browser this is what happens.
1) The browser makes a connection to the server/NAS and initiates an SSL handshake.
2) The server presents its public key and the CA certificate chain.
3) The browser validates your public certificate by looking in its trust store using to see if your public cert or one of the certs in the chain is.
4) If it is trusted the browser generates a temporary key that it send back to the server encrypting it with your public key.
5) The server/NAS decrypts the public key the browser sent using your private key and responds to the browser with a message encrypted with the temporary browser public cert.
6) At this point you have established a SSL connection from the browser to the server/NAS.
7) The browser now continues the normal HTTP request over this SSL connection.
With the certificate that is generated by default on the NAS it fails at step 3.

As for renewing a certificate all you need to do is generate a new CSR from the existing private key and submit it to your CA of choice. Once you get the cert back from the CA make a copy of your existing cert and then replace the original with the new cert and restart Apache or force a reload by sending a HUP signal to its process.

That's brilliant thanks Charles. One question, following the instructions in this thread I didn't use the intermediate.crt but I see it mentioned in other documents. Should I be referring to it in openssl.cnf?

If so is it used as part of the signing process?

You should not need to worry about the intermediate certificate unless you are going to issue your own certificates that are to be trusted through the CAs chain of trust. You can actually buy your own issuing certificate signed by the CAs intermediate certificate.

With a CA you usually have 3 certificates. Their root cert, intermediary cert and issuing certificate. If they only had a root certificate there would be a big issue with either having to replace your certificates signed by them every time the CA cert expired or risk their authority being hacked and the trust of their identity invalidated. What they do to minimize this hassle is to use their root certificate to sign a intermediate certificate and then use the intermediate certificate to sign an issuing certificate. This issuing certificate is used to sign your certificate.

Since the browser trusts the root cert and if it can walk the certificate chain from your certificate back to the root it will trust the server cert.

So the issuing certificate and intermediate certificate are there just to make the link from your certificate to the CA root certificate that is in your browsers certificate Trust store.

Okay I think I get all of that. Everything seems to work fine without an intermediate certificate so I might leave things as they are.

You have been very, in fact extremely helpful and I have learnt a lot from your posts. Thank you very much I feel less stressed about my upcoming renewal process now I understand what need to be done.

Hi Charles

Since I purchased an iPad2 I have noticed I get a security warning when logging into my ReadyNAS. From what I can find on the subject Apple uses the intermediate.crt. I would like to see if i can remove the security prompt on my iPad2 but I have no idea what additional steps are required to introduce a intermediate.crt.

I followed the steps in this thread to get my SSL cert installed and working and customised for Godaddy.
viewtopic.php?p=128092#p128092
viewtopic.php?p=143857#p143857

Are you in a position to assist? I have gd_intermediate which i think is the one required?

The only thing I can think of to do is for you to email the GoDaddy Intermediate cert to your self and open it on the iPad. It should ask if you want to install it.

I'll try that this evening. Thanks for your time.

PLEASE REFER TO MY LATEST POST OF COMPLETE GUIDE TO INSTALLING SSL CERTIFICATE FROM GODADDY ON YOUR READYNAS DUO (SPARC). THE ABOVE POINTERS WERE HELPFUL BUT DID NOT WORK FOR ME:

http://www.readynas.com/forum/viewtopic.php?f=11&t=63577