How to's: Generate Custom SSL Certificates

Anything regarding SSL/SSH and other security questions may go here
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/su ... p?lang=enu



2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
Steph
Enlightened
Enlightened
Posts: 420
Joined: Wed Nov 22, 2006 12:26 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by Steph » Sun Feb 28, 2010 1:51 am

Hi all,

I have made my own certificates with StartSSL. I have imported them in my Nas. Under IE8 and Chrome in Windows and Safari under Mac, it's working great: no warning. But with Firefox 3.6, I have warnings.

I saw that i'm not the only one but I didn't understand your answers.

How come the NAS returns TWO different certificates!! Does it do the same with you ? If I go to https://xxx.mydomain.com the certificate comes from Synology, if i go to https://xxx.mydomain.com:7001 I have the certificate I imported. How come ? Is this normal ?

User avatar
vvv850
Experienced
Experienced
Posts: 133
Joined: Wed Jan 20, 2010 2:38 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by vvv850 » Sun Feb 28, 2010 11:45 am

There are two files that point apache to the correct ssl certificates: httpd-ssl.conf and httpd-ssl.conf-sys both located at /usr/syno/apache/conf/extra. The sys file is meant for the management interface and in my case is http/s://www.mydomain.com:5000/5001. The other one is for other virtual domains. If you open the file you will find:

SSLCertificateFile /usr/syno/etc/ssl/ssl.crt/server.crt
SSLCertificateKeyFile /usr/syno/etc/ssl/ssl.key/server.key

PS: For installing the intermediate chain file you should consult this link https://knowledge.verisign.com/support/ ... t&id=AR193

PPS: I haven't tested what I wrote above so if someone has more experience please contribute. Also there is another file httpd-ssl.conf-usr that I don't really know what it's for.
DS209+II DSM 2.3-1139 <> 2x1TB Seagate ST31000528AS firmware CC38 RAID1
DS710+ DSM 2.3-1161 <> 2x1TB Seagate ST31000528AS firmware CC38 RAID1

Steph
Enlightened
Enlightened
Posts: 420
Joined: Wed Nov 22, 2006 12:26 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by Steph » Sun Feb 28, 2010 4:46 pm

I have never did these modification on my NAS, so just to be sure : I should ssh on it, go to the two files your mention, and make them point to the same certificate ?

What should I do with the intermediate certificate ? Where do I put it and then how do I make Apache understand what to do with it ?

User avatar
vvv850
Experienced
Experienced
Posts: 133
Joined: Wed Jan 20, 2010 2:38 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by vvv850 » Sun Feb 28, 2010 7:37 pm

First of all you should backup all the files that will be modified. Second, you should take into consideration that a wrong modification to the httpd files may lock you out using the web manager.

From what I know, the NAS saves your imported certificates /usr/syno/etc/ssl/ssl.key/ | /usr/syno/etc/ssl/ssl.crt/ . The xxx.key file is the key that you generated initialy and the xxx.crt file is the certificate that the CA sends you. Both are imported automatically in those locations.

Like I said before httpd-ssl.conf-sys is used for the webmanager and httpd-ssl.conf is used for your web page and photo station (those are my conclusions). You should check that in both files these entries SSLCertificateFile and SSLCertificateKeyFile point to xxx.crt and respectively xxx.key. (I also think that you should duplicate those settings in the httpd-ssl.conf-user.

As for the intermediate file, I don't have any experience but you should follow the instructions found at this link https://knowledge.verisign.com/support/ ... t&id=AR193. The idea is to add in the files mentioned above SSLCertificateChainFile followed by the location where you will save the intermediate certificate.

PS: If you open those files you will see the exact inputs and where you need to make changes.
DS209+II DSM 2.3-1139 <> 2x1TB Seagate ST31000528AS firmware CC38 RAID1
DS710+ DSM 2.3-1161 <> 2x1TB Seagate ST31000528AS firmware CC38 RAID1

Steph
Enlightened
Enlightened
Posts: 420
Joined: Wed Nov 22, 2006 12:26 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by Steph » Mon Mar 01, 2010 8:57 pm

Thanks vvv850 for your time & response...

For now, I have only looked at the files you have mentioned so I could understand better the hole idea. I don't know much about Apache and even less with SSL, so bare with me :).

HTTP.CONF
Seems to be the first "configuration" page that Apache reads. The part that interests me (I believe) is :

Code: Select all

<IfDefineSSL>
include conf/extra/httpd-ssl.conf
</IfDefineSSL>
HTTP-SSL.CONF

Code: Select all

# Global parameters for virtual host
SSLCertificateFile /usr/syno/etc/ssl/ssl.crt/server.crt
SSLCertificateKeyFile /usr/syno/etc/ssl/ssl.key/server.key
[...]
<VirtualHost *:443>

[...]

# Certificate Authority (CA)
# SSLCACertificatePath /usr/syno/apache/conf/ssl.crt
# SSLCACertificateFile /usr/syno/apache/conf/ssl.crt/ca-bundle.crt
[...]
</VirtualHost>
At this point, nothing mentions to include the file HTTP-SSL.CONF-SYS but if I look into it, I see the following :

Code: Select all

[...]
SSLCertificateFile /usr/syno/etc/ssl/ssl.crt/server.crt
[...]
SSLCertificateKeyFile /usr/syno/etc/ssl/ssl.key/server.key
[...]
#SSLCACertificateFile /usr/syno/apache/conf/ssl.crt/ca-bundle.crt
and at the find, this interesting line :

Code: Select all

Include /usr/syno/etc/httpd-ssl-filestation.conf-sys
HTTP-SSL-FILESTATION.CONF-SYS

Code: Select all

Listen 7001
NameVirtualHost *:7001
<VirtualHost *:7001>
ServerName LocalMachine
DocumentRoot /usr/syno/synoman/webfm
SSLCipherSuite HIGH:MEDIUM
SSLProtocol all -SSLv2
SSLCertificateFile /usr/syno/etc/ssl/ssl.crt/server.crt
SSLCertificateKeyFile /usr/syno/etc/ssl/ssl.key/server.key
SSLEngine on
</VirtualHost>
Which would mean the file HTTP-SSL.CONF-SYS is used because it includes the file just above.

Now as you mentioned, one should install the intermediate certificate (https://knowledge.verisign.com/support/ ... t&id=AR193). Apparently, it's as simple as uncommenting SSLCACertificateFile and making it point to the right place.

But where should I indicate this ? I would do it wherever SSLCertificateFile & SSLCertificateKeyFile are not commented and where SSLCACertificateFile is mentioned, but commented. What do you think (OR after each SSLCertificateFile and SSLCertificateKeyFile mentioned, add the line SSLCACertificateFile ? I read somewhere that one should be careful because specifying the same file at too many places might screw up Apache.

What about the file HTTPD-SSL.CONF-USER ? In it, SSLCertificateFile & SSLCertificateKeyFile are mentioned and SSLCACertificateFile commented.

Maybe someone can very quickly explain what is the purpose that the certificates are mentioned in so many files ?

User avatar
vvv850
Experienced
Experienced
Posts: 133
Joined: Wed Jan 20, 2010 2:38 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by vvv850 » Mon Mar 01, 2010 10:06 pm

Note: As I said in an earlier post I haven't tried importing an intermediate certificate myself, but only my custom made ones, so be sure to backup before you start modifying. Also if someone with more experience detects an error or a misleading information please correct me.

In HTTP-SSL.CONF-SYS this line appears "Listen 5001" from which I understand that SSLCertificateFile and the rest of the links point to where the Web Manager interface looks for the ssl certificates. So if you want to use a valid certificate for logging into the management interface you need to setup SSLCertificateFile, SSLCertificateKeyFile (and in case of intermediate certificates the SSLCertificateChainFile).

In httpd-ssl.conf you can see this line "Listen 443" which makes me believe that this is used for the Web Service. So if you want ssl access to your published website you should check that SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile point to where your certificates are.

In HTTP-SSL-FILESTATION.CONF-SYS the listen port is 7001 which is used as default for the separate login page for File Station which you can enable here File Sharing -> File Station -> Customize. The rules mentioned above also apply here.

You can save the files anywhere, I think, just be sure to get the address right (ex. for SSLCertificateFile you need to point it at the .crt file obtained from the CA authority, for SSLCertificateKeyFile you need to point it to the .key file you generated first, etc.). For simplicity you should copy them in /usr/syno/etc/ssl/ssl.crt and /usr/syno/etc/ssl/ssl.key (also you can include the intermediate certificate at this location /usr/syno/etc/ssl/ssl.crt)

LE: I also think that you should have only one uncommented occurrence of SSLCertificateFile , SSLCertificateKeyFile , SSLCertificateChainFile in each of the files made above to avoid any errors

Note: As I said in an earlier post I haven't tried importing an intermediate certificate myself, but only my custom made ones, so be sure to backup before you start modifying. Also if someone with more experience detects an error or a misleading information please correct me.

Steph, please post your findings if you succeed.

Cheers
DS209+II DSM 2.3-1139 <> 2x1TB Seagate ST31000528AS firmware CC38 RAID1
DS710+ DSM 2.3-1161 <> 2x1TB Seagate ST31000528AS firmware CC38 RAID1

dodgy
Beginner
Beginner
Posts: 22
Joined: Fri Mar 26, 2010 8:43 am

Re: How to's: Generate Custom SSL Certificates

Unread post by dodgy » Tue Mar 30, 2010 1:48 pm


User avatar
Chrigi
I'm New!
I'm New!
Posts: 3
Joined: Sat Jan 08, 2011 2:00 pm
Location: Switzerland
Contact:

Re: How to's: Generate Custom SSL Certificates

Unread post by Chrigi » Thu Feb 17, 2011 12:14 pm

I followed this guide and generated all the needed files on my mac and then used the certificate upload panel in the DSM Config pane (on DSM-3.1 beta on my DS-1511+) but it did not work at all...
Do I have to create the certificates on the DS itself and then move them into place manually?
DS1511+ / DSM 3.1-1594 / WD20EARS

Jeannot45
I'm New!
I'm New!
Posts: 1
Joined: Sat Aug 20, 2011 3:42 pm

Re: How to's: Generate Custom SSL Certificates

Unread post by Jeannot45 » Sat Aug 20, 2011 4:16 pm

Hi everyone,

I tried to create my own CA and my own SSL cert with this "How to", but it seems that the CA cert is not a "real" CA.
After some search, I found that in fact, the openssl command line to create the ca.crt is missing that : "-extensions v3_ca". So you can use this command line instead of the three one:

Code: Select all

openssl req -new -x509 -extensions v3_ca -keyout ca.key -out ca.crt -days 3650 -config /path/to/caconfig.cnf
:idea: for those who are not friendly with openssl command lines, you can use XCA (http://xca.sourceforge.net/) to create/manage your certificates.

Post Reply

Return to “Security/Secured Mods”