How to generate custom SSL certificates

From SynologyWiki
Jump to: navigation, search

Contents

Preparation

  • At first you should generate a temporary work folder. For example /usr/local/ssl/ and cd to this location.


The generation of SSL-certificates is always in two steps. At first you have to generate a certificate authority key and then you generate a server certificate out of the certificate authority key. The server certificate will be used when starting the webserver and the certificate authority key has to be installed on the client pc.

Generation of the certificate authority key

  1. During the key generation you have to enter a passphrase which you need later to generate the certificates. Generate the key ca.key with the following command:
    openssl genrsa -des3 -out ca.key 1024
  2. Generation of the key certificate:
    openssl req -new -key ca.key -out ca.csr
  3. Generation of the final certificate authority key (valid 10 years):
    openssl x509 -days 3650 -signkey ca.key -in ca.csr -req -out ca.crt


Generation of the server-certificate

  1. Generation of the key:
    openssl genrsa -out server.key 1024
  2. Generation of the key certificate - most important is the Common Name. It is important that it matches your DNS-Name. Example: name.dyndns.org. You can also use wildcards like *.name.dyndns.org.
    openssl req -new -key server.key -out server.csr
  3. Generation of the server certificate:
    openssl x509 -days 3650 -CA ca.crt -CAkey ca.key -set_serial 01 -in server.csr -req -out server.crt


Installing the files

  • Change into the Synology certificate folder
    cd /usr/syno/etc/ssl
  • Make a backup folder for the old files:
    mkdir bak
  • Copy the old files into the backup folder:
cp -r ssl.crt bak
cp -r ssl.csr bak
cp -r ssl.key bak
  • Move the new files to the certificate folder:
mv /usr/local/ssl/ca.crt ssl.crt
mv /usr/local/ssl/server.crt ssl.crt
mv /usr/local/ssl/ca.csr ssl.csr
mv /usr/local/ssl/server.csr ssl.csr
mv /usr/local/ssl/ca.key ssl.key
mv /usr/local/ssl/server.key ssl.key
  • The ca.crt has to be installed on the client workstations. For this we copy the file into the folder public.
    cp /usr/syno/etc/ssl/ssl.crt/ca.crt /volume1/public
  • Restart your Synology Station


Installation of the certificate on the client workstation

Finally the certificate has to installed on the client workstations as a trusted certificate authority. Copy the file ca.crt to the client pc and install it within windows explorer with rightclick -> install certificate.

Restoring certificates

In case something goes wrong, Synology has supplied an easy way to, not restore, but create a set of new and working certificates. This should restore the certificates if importing certificates from the web manager has failed. If you need a telnet or ssh client use PuTTY.

  • Login as root, using the admin users password, to the Synology NAS drive using telnet or ssh. And type the following in the command prompt:
cd /usr/syno/etc/ssl/
./mkcert.sh
  • Allow the script to finish, and type reboot in the prompt.
  • In a while the NAS drive should have rebooted, and everything should be fine again.

Thanks to maelcum in this forum post for pointing it out.

Personal tools
Community Resources