Tag: certificate

Change Apache SSL certificate

Change Apache SSL certificate

Steps

Retrieve certificate

Download certificate from Synology

  • Open Control Panel
  • Select Security
  • Select Certificate tab
  • Right click certificate and select Export certificate

The output includes cert.pem, chain.pem, and privkey.pem in archive file or folder.

Merge certificate and chain

Concatenate certificate file and chain file into one file called cert-with-chain.pem or fullchain.pem

Deploy certificate files

  • Create a folder in apache configuration folder, such certs/
  • Copy cert-with-chain.pem and privkey.pem file into certs/ folder.

Setup Apache

This can be done by changing Apache configuration or change the make soft link to the files which configuration used.

Apache configuration items

SSLCertificateFile      /data/certs/cert-with-chain.pem
SSLCertificateKeyFile /data/certs/privkey.key

Replace Certificate in Synology NAS

Replace Certificate in Synology NAS

Fill up info

Following steps can be used to replace certificate (not renew) in Synology NAS user interface.

  • Go to Control Panel -> Security -> Certificate
  • Select Add -> Add
  • Select Replace an existing certificate
  • Choose the certificate to be replaced
  • Select Get a certificate from Let's Encrypt
  • Fill up info, includes domain, email, alias (seperated by semi-colons)

Change port forwarding

Now, make sure Synology NAS can be accessed from internet via port forwarding at port 80 and 443 if required.

Suggest using A * record in DNS entry to avoid DNS change. Use NGINX to redirect traffic to this host.

Generate

Then generate certificate.

Add self-signed certificate for TrueNAS

Add self-signed certificate for TrueNAS

To use self-signed certificate in TrueNAS, following steps are required.

Add Certificate into TrueNAS

  • Select Credentials -> Certificates
  • In Certificates section, click on Add button
  • In Add Certificate window, give a name, and select Import Certificate
  • In Extra Constraints section, cut and paste the contents of cert file and key file into Certificate and Private Key textboxes

Configure GUI certificate

  • Select System Settings -> General
  • In GUI section, click on Settings button
  • In GUI Settings window, select the certificate to be used in GUI SSL Certificate option
  • Click on Save button

Restart

Restart UI web server, which is done automatically.

Refresh browser, need to click reload botton.

Add root certificate to MacOS

Add root certificate to MacOS

If you have your own root certificate like I do, the follow the steps below to add it in MacOS.

Browser vs OS level installation

When accessing a server which signed using your own root certificate, if it isn't installed locally, browser will prompt the warning. Then need to select trust the certifcate in order to continue.

This action only trust that machine certificate in the browser, it only does

  • Trust the machine certificate, not the root certificate
  • Only trust in the browser currently used

The benefit of installing root certificate OS level are

  • All applications will trust certificate
  • Only one time installation required
  • Trusted for all users in the system (Not Firefox Browser)

Download certificate

Provide by issuer

Go to issuer software, such as Synology NAS, download from certificate store, and extract CA certificate, such as example-ca-cert.pem.

From browser with root certificate

The root certificate can be downloaded from browser if the brower has been installed. For example, in Firefox,

  • Click on lock icon besides URL => connection secure => more information, then Page Info window appears
  • Click on View Certificate in Security tab, then certificate information page is displayed as a new browser tab.
  • Look for chain certificate. In Firefox, it is under Miscellaneous => Download PEM (chain)
  • Click on chain certificate and save it locally.

Note: The downloaded certificate file contains both server certificate and root certificate. Delete server certificate using text editor if possible. If the server certificate had been installed in keychain, it can be removed from keychain later too

Install certificate

Use following steps to install CA certificate into keychain

  • Double click the certificate file (with ".pem" or ".cer" extension)
  • Choose "System" from the keychain option. Then press "Add" to install after password provided

Set certificate "Always Trust"

To set system wide trust, use following steps.

  • Open Keychain Access application
  • Look for root certificate, double click it
  • Expand Trust section
  • Select "Always Trust" from list of When using this certificate.

Delete server certificate if needed

If the server certificate was also installed, suggest to delete it from keychain and browser certificate store. This is to avoid false information about successful installation.

  • Open Keychain Access application
  • Look for server certificate
  • Right click on it, then select delete certificate

Firefox Only

In Firefox, which has its own certificate store, the system certificates are not accepted. So use following steps to enable system certificates to be used for current user.

  • Open new tab, and type about:config
  • Search for security.enterprise_roots.enabled
  • Change it to true by double click the line.

Note: This only enable trust for current user

Reboot

Verify

Use browser to access another website which has the same root certificate, the certificate not trusted page should not appear.

References

FAQ: How to add root certificate to Mac OS X

Configure trust self generated CA certificate of docker registry

Configure trust self generated CA certificate of docker registry

When self generated CA certificate has not been trusted by docker client, following error occurres

... x509: certificate signed by unknown authority

Install CA certificate for docker only

Docker can install registry CA as /etc/docker/certs.d/<registry[:port]>/ca.crt. For example,

/etc/docker/certs.d/my-registry.example.com:5000/ca.crt

Note: If port is 443, it should be omitted. Otherwise, it won't work.

Install CA certificate into system folder

To install self generated CA certificate for operating system, follow the page below.

Install self generated CA certificate into Linux OS

Restart docker service to take effect

The restart docker service after CA certificate installed.

systemctl restart docker