Category: certificate

Install Synology CA Certificate into Linux OS

Posted on by Bian Xi Leave a Comment on Install Synology CA Certificate into Linux OS

Install Synology CA Certificate into Linux OS

To trust Synology self generated CA in Linux OS, following steps can be used.

Export Synology CA Certificates from NAS

  • Launch Control Panel => Security
  • Click on Certificate tab
  • Click on Add button
  • Select the certificate named as synology
  • Select Explore certificate, then Next

There will be 4 files in the downloaded ZIP file

cert.pem
privkey.pem
syno-ca-cert.pem
syno-ca-privkey.pem

Copy the Synology CA certificate

Copy file syno-ca-cert.pem to server folder and rename it to .crt

cp syno-ca-cert.pem /usr/local/share/ca-certificates/syno-ca-cert.crt
update-ca-certificates

Note: the certificate file name must be .crt

Restart service

For any services used certificate generated by Synology CA certificate, restart the service

systemctl restart <service>

Test CA

Use openssl command

Run following commands

openssl s_client -connect server_address:443 -CAfile /usr/local/share/ca-certificates/syno-ca-cert.crt
openssl s_client -connect server_address:443 -CApath /etc/ssl/certs

Should return 0 (ok)

Verify return code: 0 (ok)

Use curl command

curl --verbose <URL> --cacert /usr/local/share/ca-certificates/syno-ca-cert.crt
curl --verbose <URL>

References

Install self generated CA certificate into Linux OS

Posted on by Bian Xi Leave a Comment on Install self generated CA certificate into Linux OS

Install self generated CA certificate into Linux OS

To trust self generated CA from client system, following steps can be used.

Retrieve CA certificate from server

Copy from CA certificate using browser

Click on lock icron beside address bar of browser, then view certificates.

Copy from server,

The self generated CA certificate normally can be found in server, such as xxxx.ca.crt.

Run command to retrieve from service

Following command will print out CA certificate, remove unnecessary lines, such as DONE, if any.

Note: I haven't validated the certificate retrieved using this method.

openssl s_client -showcerts -connect [server_address]:[port] < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Install CA certificate

Copy CA certificate into /usr/local/share/ca-certificates directory, such as xxxx.ca.crt, then run update-ca-certificates command to update system CA, then restart impacted service.

cp <xxxx.ca.crt> /usr/local/share/ca-certificates
update-ca-certificates
systemctl restart <service>

Note: the certificate file name must be .crt

Test CA

Run following command, should return 0 (ok) as below.

openssl s_client -connect server_address:443 -CApath /etc/ssl/certs

...
Verify return code: 0 (ok)

Renew Self Signed Certificate Using Synology DSM with custom CA

Posted on by Bian Xi Leave a Comment on Renew Self Signed Certificate Using Synology DSM with custom CA

Renew Self Signed Certificate Using Synology DSM with custom CA

Renew server certificate

  • Launch Control Panel => Security
  • Click on Certificate tab
  • Click on Add button
  • Select Renew certificate, then Next
  • Fill up information for Create certificate signed request (CSR), then Next
  • Click on Download

Following files are created in downloaded ZIP file

  • server.csr
  • server.key

Generate certificate

Following the steps in the page below to create and import the certificates

Use Synology DSM to create Self Signed Certificate with custom CA

References

Use Synology DSM to create Self Signed Certificate with custom CA

Install *Synology* NAS managed *Let’s Encrypt Certificate* in *NGINX*

Posted on by Bian Xi Leave a Comment on Install *Synology* NAS managed *Let’s Encrypt Certificate* in *NGINX*

Install Synology NAS managed Let's Encrypt Certificate in NGINX

Certificate Management

Synology NAS can be used for certificate management, and Let's Encrypt certificate can be exported as ZIP file used for NGINX HTTPS configuration.

  1. Go to Control Panel -> Security -> Certificate
  2. Select certificate to be exported
  3. Select Export Certificate from right click menu
  4. Save exported file

For existing certificates, can use right click -> renew option to renew.

Note: All domain in the certificates, must be resolved to current Synology NAS at port 80 and port 443, otherwise, certificate generation will be failed.

In downloaded ZIP file, following files can be found.

  • certs.pem
  • chain.pem
  • privkey.pem

NGINX configuration

  1. Concatenate cert.pem and chain.pem to cert-with-chain.pem (or fullchain.pem) file

  2. Copy cert-with-chain.pem and privkey.pem into NGNIX conf.d folder

  3. Verify NGINX configuration as below

ssl_certificate     conf.d/cert-with-chain.pem;
ssl_certificate_key conf.d/privkey.pem;
  1. Restart NGINX

Verification

Browser

The date of issue for new certificate should be displayed in certificate information window.

Command line

Following command can be used for verification

openssl s_client -connect <domain_name>:<port>

If got following error, concatenate chain.pem into cert.pem, because the full chain is required.

verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate

References

How to install Let's Encrypt on Nginx

Use Synology DSM to create Self Signed Certificate with custom CA

Posted on by Bian Xi Leave a Comment on Use Synology DSM to create Self Signed Certificate with custom CA

Use Synology DSM to create Self Signed Certificate with custom CA

To create custom CA and use it to create server certificate, Synology NAS can be used and manage them.

Create certificate with CA

  • Launch Control Panel => Security
  • Click on Certificate tab
  • Click on Add button and select Add menu item
  • Select Add a new certificate or Replace an existing certificate, then Next
  • Select Create self-signed certificate, then Next
  • Fill up information for Create root certificate for CA certificate, then Next
  • Fill up information for Create certificate for server certificate, then Apply

Following 4 certificates are created and can be exported

  • cert.pem - Server certificate
  • privkey.pem - Server Key
  • syno-ca-cert.pem - CA certificate
  • syno-ca-privkey.pem - CA Key

Create server certificate using CA above

  • Launch Control Panel => Security
  • Click on Certificate tab
  • Click on CSR button
  • Select Create Certificate Singing Request, then Next
  • Fill up information for Create certificate signed request (CSR), then Next
  • Click on Download

Following files are created in downloaded ZIP file

  • server.csr
  • server.key

Signing server certificate

  • Launch Control Panel => Security
  • Click on Certificate tab
  • Click on CSR button
  • Select Sign Certificate Singing Request, then Next
  • Select root certificate just created, then Next
  • Select server.csr file using Browse button next to the Certificate Request textbox
  • Fill up Subject Alternative Name, then Next
  • Click on Download

Following files are created in downloaded ZIP file

  • server.crt

Import server certificate

  • Launch Control Panel => Security
  • Click on Certificate tab
  • Click on Add button and select Add menu item
  • Select Add a new certificate or Replace an existing certificate, then Next
  • Fill up Description, select Import certificate, then Next
  • Select private key file and certificate file, then OK

References

self-signed-certificate-with-custom-ca.md

Create certificate in Synology NAS with self signed CA

Posted on by Bian Xi Leave a Comment on Create certificate in Synology NAS with self signed CA

Create certificate in Synology NAS with self signed CA

If the CA certificate is managed by Synology NAS, following steps can be used to create a certificate under that CA.

Create certificate request

  1. Go to Control Panel -> Security -> Certificate
  2. Select CSR
  3. Select Create certificate signing request (CSR)
  4. Then fill up information required
  5. Select Download, the CSR will be downloaded into local machine

The downloaded file contains two files, server.key and server.csr.

Sign certificate

  1. Go to Control Panel -> Security -> Certificate
  2. Select CSR
  3. Select Sign certificate signing request (CSR) and select the root certificate to be used
  4. Use Browse button to select the CSR file in previous step
  5. Select Download, the CSR will be downloaded into local machine. The CSR file should be in archive folder, and named as server.csr
  6. In Subject Alternative Name, put both server full name and short name, or other names if the server is playing multiple roles.
  7. Click on Download, then a file named as server.crt is downloaded locally.

Import generated certificate

There are three files you have,

  • The certificate file, name as server.crt
  • The private file, name as server.key

  • The intermediate certificate file, such as syno-ca-cert.pem or other CA intermediate certificate

    They also can be imported into synology certificate app for certificate management

  1. Go to Control Panel -> Security -> Certificate
  2. Select Add -> Add
  3. Select Add a new certificate
  4. Select Import certificate
  5. Click on Browse button for Private Key to select server.key file
  6. Click on Browse button for Certificate to select server.crt file
  7. Click on Browse button for Intermediate Certificate to select syno-ca-cert.pem file
  8. Click OK button

Install self generated CA certificate into Windows OS

Posted on by Bian Xi Leave a Comment on Install self generated CA certificate into Windows OS

Install self generated CA certificate into Windows OS

To trust self generated CA from client system, following steps can be used.

Retrieve CA certificate from server

Copy from CA certificate using browser

Click on lock icron beside address bar of browser, then view certificates.

Copy from server,

The self generated CA certificate normally can be found in server, such as xxxx.ca.crt.

Install CA certificate

Install into OS

  • Run command mmc
  • Select File => Add/Remove Snap-ins
  • Select Certificates and press the Add button
  • Select Computer account => Local Account, and press the Finish
  • Select Certificates and right-click Trusted Root Certification Authorities
  • Click All Tasks => Import, then add the digital certificate

Firefox Only

In Firefox, which has its own certificate store, the system certificates are not accepted. So use following steps to enable system certificates to be used for current user.

  • Open new tab, and type about:config
  • Search for security.enterprise_roots.enabled
  • Change it to true by double click the line.

Note: This only enable trust for current user

References

How to install Windows 10 root certificates [EASY STEPS]

Change Apache SSL certificate

Posted on by Bian Xi Leave a Comment on Change Apache SSL certificate

Change Apache SSL certificate

Steps

Retrieve certificate

Download certificate from Synology

  • Open Control Panel
  • Select Security
  • Select Certificate tab
  • Right click certificate and select Export certificate

The output includes cert.pem, chain.pem, and privkey.pem in archive file or folder.

Merge certificate and chain

Concatenate certificate file and chain file into one file called cert-with-chain.pem or fullchain.pem

Deploy certificate files

  • Create a folder in apache configuration folder, such certs/
  • Copy cert-with-chain.pem and privkey.pem file into certs/ folder.

Setup Apache

This can be done by changing Apache configuration or change the make soft link to the files which configuration used.

Apache configuration items

SSLCertificateFile      /data/certs/cert-with-chain.pem
SSLCertificateKeyFile /data/certs/privkey.key

Replace Certificate in Synology NAS

Posted on by Bian Xi Leave a Comment on Replace Certificate in Synology NAS

Replace Certificate in Synology NAS

Fill up info

Following steps can be used to replace certificate (not renew) in Synology NAS user interface.

  • Go to Control Panel -> Security -> Certificate
  • Select Add -> Add
  • Select Replace an existing certificate
  • Choose the certificate to be replaced
  • Select Get a certificate from Let's Encrypt
  • Fill up info, includes domain, email, alias (seperated by semi-colons)

Change port forwarding

Now, make sure Synology NAS can be accessed from internet via port forwarding at port 80 and 443 if required.

Suggest using A * record in DNS entry to avoid DNS change. Use NGINX to redirect traffic to this host.

Generate

Then generate certificate.

Add self-signed certificate for TrueNAS

Posted on by Bian Xi Leave a Comment on Add self-signed certificate for TrueNAS

Add self-signed certificate for TrueNAS

To use self-signed certificate in TrueNAS, following steps are required.

Add Certificate into TrueNAS

  • Select Credentials -> Certificates
  • In Certificates section, click on Add button
  • In Add Certificate window, give a name, and select Import Certificate
  • In Extra Constraints section, cut and paste the contents of cert file and key file into Certificate and Private Key textboxes

Configure GUI certificate

  • Select System Settings -> General
  • In GUI section, click on Settings button
  • In GUI Settings window, select the certificate to be used in GUI SSL Certificate option
  • Click on Save button

Restart

Restart UI web server, which is done automatically.

Refresh browser, need to click reload botton.