How to's: Generate Custom SSL Certificates

Anything regarding SSL/SSH and other security questions may go here
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/su ... p?lang=enu



2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
Svuppe
Student
Student
Posts: 65
Joined: Tue Jan 16, 2007 11:17 pm

Re: CA missing

Unread post by Svuppe » Tue Nov 13, 2007 9:39 pm

maelcum wrote:have you imported one or two certificates in the IE?
As far as I understood it, you'd need to import two - at least I had to, working on a mac, though. The principle is the same, after all.
I have only installed one, the one called "ca.crt". I just installed it in the wrong place the first time. Once it was installed in "Trusted Root Certification Authorities", everything worked perfectly.

Trolli
Enlightened
Enlightened
Posts: 406
Joined: Thu Jul 12, 2007 7:53 am
Location: Germany

Unread post by Trolli » Tue Nov 20, 2007 10:16 am

I have added this guide to the wiki: http://www.synology.com/wiki/index.php/ ... rtificates

Trolli
Disk Station 1511+ - DSM 4.0 Beta - 2166
3x3TB Western Digital WD30EZRX, Raid 5

Disk Station 508 - DSM 3.2 - 1922
5x1TB Western Digital WD10EADS, Raid5


Moderator @ German Synology Forum

doh
Rookie
Rookie
Posts: 32
Joined: Fri Oct 12, 2007 7:09 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by doh » Sat Mar 22, 2008 12:31 am

Hi,

I've followed all the instructions, and everything is working perfectly fine in IE7

However, when trying to view the site in Firefox I get an error saying "Could not establish an encrypted connection because certificate presented by xxx has an invalid signature"

Any ideas?

thanks!

doh
Rookie
Rookie
Posts: 32
Joined: Fri Oct 12, 2007 7:09 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by doh » Sat Mar 22, 2008 12:46 am

doh wrote:...when trying to view the site in Firefox I get an error saying "Could not establish an encrypted connection because certificate presented by xxx has an invalid signature"
I've managed to get this working by importing the certificate into Firefox directly.

However, before I made this change, firefox wouldn't produce this error even though I was using SSL. Is there some way to suppress it and continue with an invalid certificate, such that people can get onto my site and download the certificate to import?

Thanks.

User avatar
NetBoot
Ace
Ace
Posts: 725
Joined: Tue Oct 24, 2006 8:20 pm
Location: Northeastern U.S.

Re: How to's: Generate Custom SSL Certificates

Unread post by NetBoot » Sat Mar 22, 2008 12:40 pm

doh wrote:
doh wrote:...when trying to view the site in Firefox I get an error saying "Could not establish an encrypted connection because certificate presented by xxx has an invalid signature"
I've managed to get this working by importing the certificate into Firefox directly.

However, before I made this change, firefox wouldn't produce this error even though I was using SSL. Is there some way to suppress it and continue with an invalid certificate, such that people can get onto my site and download the certificate to import?

Thanks.
How are you connecting?

https://DiskStation would give you invalid certificate because of host name mismatch

https://www.gateway-1.homedns.org would give you valid certificate

Remember, that on the internet it needs to resolve to a full qualify domain name

You should only need to install the CA in the Trusted Root Certification Authorities. Since, you are your own authority. Also, remember MS updates root certificates from time to time. So, you'll have it import it again.

For users, you can create a link for the ca or setup a web page to automate this. Google for how to. I haven't got around to doing it myself.

Net....
Product Model: DS-106
Firmware Version: 2.0.3 - 0640

I have my reasons for my insanity....

rop
I'm New!
I'm New!
Posts: 8
Joined: Fri Oct 03, 2008 3:58 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by rop » Fri Oct 03, 2008 4:02 pm

Hello.

Seems that the link for the openssl.cnf file is not longer active. Can anyone tell me how and where I can download it? Or is it possible to create that file by myself?
Can anybody help me, please?

//Rop

m@rco
I'm New!
I'm New!
Posts: 1
Joined: Fri Oct 17, 2008 8:25 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by m@rco » Fri Oct 17, 2008 8:34 pm

Hello everyone,

I have a question about creating a custom ssl certificate.

I want the .csr to be signed by a firm that signes certificates (like Versign)

Do i only have to use openssl req -new -key ca.key -out ca.csr and sent the .csr to the signing company?

Or must i do al the steps below.

There is a import possibility in the new firmare 722

"We'll need to generate a Certificate Authority key first.

openssl genrsa -des3 -out ca.key 1024
The command above will create your CA key with 1024 bits, don't use anything higher. The -des3 is for a pass phrase. If you don't want to use a pass phrase just remove it from the command.


Next, we need to generate a Certificate Signing Request

Special note on creating your Certificate Authority Certificate: When prompted to enter in your Common Name don't use your server name or DNS name that you'll be using when we get to the point of generating our certificate for the server. What I used for Common Name is Diskstation <mac address/without the colons> ie: "Diskstation 0011223344AB". For other Synology products use it's product host name and mac address. This info is provided on the info page of your synology unit.

openssl req -new -key ca.key -out ca.csr
Since we'll be signing our own ca cert will run the following command

openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

Now we need to generate our server key and certificate.

When prompted to enter in your Common Name for your server certificate we can use our FQDN or server name ie www.myweb.com.

Another option that you might want to consider is using one with a wildcard so we can also used this certificate for ftp service. ie: *.myweb.com. With the wildcard ftp.myweb.com and www.myweb.com will have a valid host name and no host name mismatch.

For those of you who run Dynamic DNS service on their router as I do, use that as your Common Name. Make sure you have wildcards enabled.

openssl genrsa -des3 -out server.key 1024
The command above will create your server key with 1024 bits, don't use anything higher. The -des3 is for a pass phrase. If you don't want to use a pass phrase just remove it from the command.

openssl req -new -key server.key -out server.csr

Finally, sign the certificate signing request (csr) with the self-created certificate authority (CA) that you made earlier

openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Make a server.key which doesn't cause Apache to prompt for a password

Here we create an insecure version of the server.key. The insecure one will be used for when Apache starts, and will not require a password with every restart of the web server. But keep in mind that while this means you don't have to type in a password when restarting Apache (or worse -- coding it somewhere in plain text), it does mean that anyone obtaining this insecure key will be able to decrypt your transmissions. Guard it for permissions VERY carefully.

openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key"

Hope someone can help me

Thanks in Advance

Best Regards,
m@rco

lmcwilli
Trainee
Trainee
Posts: 13
Joined: Sat Feb 14, 2009 5:24 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by lmcwilli » Sun Mar 01, 2009 2:16 pm

On my CS407 (DSM 2.0-0731), after following this thread and trying the approach outlined at

http://www.synology.com/wiki/index.php/ ... rtificates

it ended up being much simpler to run the mkcert.sh script located in the /usr/syno/etc/ssl directory.

Here's what the console log looks like from a successful run:

CubeStation> ./mkcert.sh
STEP1: Generating RSA private key for CA (1024 bit) [ca.key]
1416754 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.............................................++++++
......................................................++++++
e is 65537 (0x10001)

______________________________________________________________________
STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:2. State or Province Name (full name) [Snake Desert]:3. Locality Name (eg,
city) [Snake Town]:4. Organization Name (eg, company) [Snake Oil, Ltd]:5. Organizational Unit Name (eg, section) [Certifica
te Authority]:6. Common Name (eg, CA name) [Snake Oil CA]:7. Email Address (eg, name@FQDN) [ca@snakeoil.dom]:
______________________________________________________________________
STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]
Signature ok
subject=/C=TW/ST=Taiwan/L=Taipei/O=Synology Inc./OU=Certificate Authority/CN=Synology Inc. CA/emailAddress=product@synology.com
Getting Private key
Verify: matching certificate & key modulus
Verify: matching certificate signature
/usr/syno/etc/ssl/ssl.crt/ca.crt: /C=TW/ST=Taiwan/L=Taipei/O=Synology Inc./OU=Certificate Authority/CN=Synology Inc. CA/emailAddress=product
@synology.com
error 18 at 0 depth lookup:self signed certificate
OK

______________________________________________________________________
STEP 4: Generating private key for SERVER (1024 bit) [server.key]
1416754 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..........++++++
.................................++++++
e is 65537 (0x10001)

______________________________________________________________________
STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:2. State or Province Name (full name) [Snake Desert]:3. Locality Name (eg,
city) [Snake Town]:4. Organization Name (eg, company) [Snake Oil, Ltd]:5. Organizational Unit Name (eg, section) [FTP Team]
:6. Common Name (eg, FQDN) [ftp.snakeoil.dom]:7. Email Address (eg, name@fqdn) [ftp@snakeoil.dom]:
______________________________________________________________________
STEP 6: Generating X.509 certificate signed by own CA [server.crt]
Signature ok
subject=/C=TW/ST=Taiwan/L=Taipei/O=Synology Inc./OU=FTP Team/CN=synology.com/emailAddress=product@synology.com
Getting CA Private Key
Verify: matching certificate & key modulus
Verify: matching certificate signature
/usr/syno/etc/ssl/ssl.crt/server.crt: OK
______________________________________________________________________

User avatar
Hathor27
Experienced
Experienced
Posts: 100
Joined: Sat Feb 21, 2009 4:09 pm
Location: Switzerland

Re: How to's: Generate Custom SSL Certificates

Unread post by Hathor27 » Thu Mar 12, 2009 11:17 pm

Hi there,

I'm quit new in here and try to make my first steps into customizing my DS107e.
Your description looks great, but is far to difficult to start with. Is there any 'easy way' to generate and implement my custom certificate? Such as a batch-file or an application? :?

Thanks a lot in advance
Hathor27
Best Regards
Hathor27

Hardware: DS107+/DS207+/DS109+/DS209+/DS409/DS211+/DS213j/DS214play/DS214+/DS215+/DS216play/DS416j/DS716+/DX513
Featured: WebAlizer/VPN/ReverseProxy/MailServer/Drive/DNS/DHCP/CMS/SSL/Subversion

jojje@datanet.se
I'm New!
I'm New!
Posts: 1
Joined: Thu Mar 12, 2009 4:00 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by jojje@datanet.se » Fri Mar 13, 2009 8:58 am

Hi.
I´m not abled to download file openssl.cnf fron the folowwing link : http://www.gateway-1.homedns.org/synology/openssl.cnf.
Please help.

//Jojje

User avatar
DevineMe
Student
Student
Posts: 62
Joined: Sun Apr 26, 2009 2:48 am

Re: How to's: Generate Custom SSL Certificates

Unread post by DevineMe » Thu Jun 11, 2009 8:23 am

Scratch the batch file.. someone pointed out a way easier path.. :wink: (Had I known sooner, I would of used it instead of installing a whole bunch of stuff.. :shock: )

Login as root via Telnet or SSH
change directory to "usr/syno/etc/ssl/"
Run "sh mkcert.sh"
Logout

Next Login to Disk Station Manager and goto "Network Services-> Web Services"
Next click Checkbox "Automatically redirect HTTP connections to HTTPS "
Next Click Ok..

Viola.. Done
Last edited by DevineMe on Sun Jun 14, 2009 10:03 am, edited 3 times in total.

bouncemeister
Experienced
Experienced
Posts: 127
Joined: Mon Jun 11, 2007 9:41 am

Re: How to's: Generate Custom SSL Certificates

Unread post by bouncemeister » Fri Jun 12, 2009 4:00 pm

This might sound stupid, but i'm totally new to certificates.
Where do you install these programs, on the PC or on the Diskstation?
What do mean by "I logged it to Synology box"?
Thanx.

User avatar
DevineMe
Student
Student
Posts: 62
Joined: Sun Apr 26, 2009 2:48 am

Re: How to's: Generate Custom SSL Certificates

Unread post by DevineMe » Sat Jun 13, 2009 8:09 am

bouncemeister wrote:This might sound stupid, but i'm totally new to certificates.

So Was I...
Where do you install these programs, on the PC or on the Diskstation?
If you click the links you will see that the Visual C++ 2008 Redistributables and Win32 OpenSSL v0.9.8k Light are for the PC. The file names kinda hint at that. Batch file goes in the Win32 OpenSSL bin directory. C++ Redistributables must installed before the OpenSSL provided they are not installed already.
What do mean by "I logged it to Synology box"?
Thanx.
The I logged it part was a typo due to my quick posting habits.

bouncemeister
Experienced
Experienced
Posts: 127
Joined: Mon Jun 11, 2007 9:41 am

Re: How to's: Generate Custom SSL Certificates

Unread post by bouncemeister » Sat Jun 13, 2009 9:16 am

Yeah, i should have known the files were for the PC.
Thanx for the explanation.
I generated my own .bat file.
I used m@rco's thread which explains some more about this.

You used "www.mysite.com" and "ca.mysite.com" in your .bat file.
My domain name doesn't have www in it. it's like this: "myname.openftp.net".
Do i have to use "myname.openftp.net" and "ca.myname.openftp.net" instead?

I generated a bunch of files.

I didn't know which ones to select in the Diskstation certificate upload screen. The ones i selected ("myname.openftp.net.crt and .key") now didn't do the trick.

Code: Select all

Secure Connection Failed

diskstation:7001 uses an invalid security certificate

The certificate is not trusted because the issuer certificate is unknown.
The certificate is only valid for MyName.

(Error code: sec_error_unknown_issuer)


Which ones do i need to use?
There is a .crt, a .csr and a .key. And also a .crt and a .key for "ca.mydomain.com".


PS, really nice that windoze doesn't show the true extension of a file, but just its interpretation of it. I presume the "registry entry" file is the .key file?

bouncemeister
Experienced
Experienced
Posts: 127
Joined: Mon Jun 11, 2007 9:41 am

Re: How to's: Generate Custom SSL Certificates

Unread post by bouncemeister » Sun Jun 14, 2009 2:37 pm

DevineMe wrote:Scratch the batch file.. someone pointed out a way easier path.. :wink: (Had I known sooner, I would of used it instead of installing a whole bunch of stuff.. :shock: )

Login as root via Telnet or SSH
change directory to "usr/syno/etc/ssl/"
Run "sh mkcert.sh"
Logout

Next Login to Disk Station Manager and goto "Network Services-> Web Services"
Next click Checkbox "Automatically redirect HTTP connections to HTTPS "
Next Click Ok..

Viola.. Done
This surely sounds easier than the .bat file.
But sadly, i get an error message:

Code: Select all

DiskStation login: admin
Password:
warning: cannot change to home directory


BusyBox v1.1.0 (2009.03.25-12:22+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

DiskStation> cd usr/syno/etc/ssl/
DiskStation> dir
drwxr-xr-x    5 root     root         4096 Jan 14  2004 .
drwxr-xr-x   10 root     root         4096 Jun 14 15:33 ..
-rwxr-xr-x    1 root     root         7789 May  3  2007 mkcert.sh
drwxr-xr-x    2 root     root         4096 Jan 14  2004 ssl.crt
drwxr-xr-x    2 root     root         4096 Jan 14  2004 ssl.csr
drwx------    2 root     root         4096 Jan 14  2004 ssl.key
DiskStation> sh mkcert.sh
STEP1: Generating RSA private key for CA (1024 bit) [ca.key]
/usr/syno/etc/ssl/ssl.key/ca.key: Permission denied
15165:error:0200100D:system library:fopen:Permission denied:bss_file.c:352:fopen
('/usr/syno/etc/ssl/ssl.key/ca.key','w')
15165:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
mkcert.sh:Error: Failed to generate RSA private key
DiskStation>
I stopped the HTTPS services and logged into Telnet as admin.

Help?

PS, previously i imported a key and certificate (generated from the batchfile) using the diskstation interface, but that didn't work.
Where can i delete these files?

Post Reply

Return to “Security/Secured Mods”