SSL Certificate

Web hosting, MySQL, PHP and all that good stuff.

Moderator: Lillian.W@AST

marc
Posts: 3
youtube meble na wymiar Warszawa
Joined: Sun Feb 10, 2013 3:53 am

SSL Certificate

Post by marc »

I couldn't found some documentation about the webserver. I need to install some certificates. Can you help me to find some documentation or tell me how I have to do?

Thank you very much, marc
User avatar
James.W@AST
Posts: 189
Joined: Wed Jun 06, 2012 12:50 am

Re: SSL Certificate

Post by James.W@AST »

Hi Marc,

Here is the instruction about how to genertate a self-signed certificate for ASUSTOR NAS for your reference.
================================================
You can use the following procedure to generate a self-signed certification on a Linux system, then import it to NAS.

1. To generate a private key for CA
#openssl genrsa -des3 -out ./myrootca.key 2048

2. Use the CA private key to generate a sign request for CA
#openssl req -new -key ./myrootca.key -out ./myrootca.req

3. To sign the CA request
#openssl x509 -req -days 7305 -sha1 \ -extfile /etc/ssl/openssl.cnf -extensions v3_ca \ -signkey ./myrootca.key \ -in ./myrootca.req -out ./myrootca.crt

4. To generate a private key for host
#openssl genrsa -out ./myhost.key 2048

5. Use the host private key to generate a sign request for host
#openssl req -new -key ./myhost.key -out ./myhost.req

6. To sign the host request
#openssl x509 -req -days 3650 -sha1 \ -extfile /etc/ssl/openssl.cnf -extensions v3_req \ -CA ./myrootca.crt -CAkey ./myrootca.key \ -CAserial /etc/ssl/myrootca.srl -CAcreateserial \ -in ./myhost.req -out ./myhost.crt

7. To append host certificate with host private key together
#cat myhost.crt >> myhost.key

8. Import the myhost.key into ASUSTOR NAS at [Settings] > [General] -> [Certificate Manager]
To Infinity and Beyond!

Friends of My AS-606T: (RAID 5 with WD Black 2TB * 4, WD Red 2TB * 2)
MacBook Air (10.8) & Self-assembled Windows PC (Windows 7)
iPhone 4S (iOS 6) & iPad 2 (iOS 6)
Boxee Box, Logitech Squeezebox Duet
SONY HT-CT150 Sound Bar (Connected directly to the NAS via HDMI)
CISCO Linksys E4200
blackstar
Posts: 59
Joined: Thu Apr 25, 2013 3:37 am

Re: SSL Certificate

Post by blackstar »

Hi,
What about a real certificate.
Say I have a domain that I want to secure with ssl encryption.
Is this still valid :

"7. To append host certificate with host private key together
#cat myhost.crt >> myhost.key

8. Import the myhost.key into ASUSTOR NAS at [Settings] > [General] -> [Certificate Manager]"

Is there no need to import a pem file (Intermediate certificate) ?

Cheers.
User avatar
James.W@AST
Posts: 189
Joined: Wed Jun 06, 2012 12:50 am

Re: SSL Certificate

Post by James.W@AST »

If you have a real certificate then you don't need these. You just need to convert it to a pem certificate, since the system only supports X.509PEM certificate and private key.

A .pem(Privacy Enhanced Mail) certificate is a Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" as you can see in the sample certificate from our web UI. You can find many instructions about how to convert a .cer certificate to a .pem certificate.

Here is a sample command with openssl which should do the trick: # openssl x509 -inform pem -in certificate.cer -outform der -out certificate.pem
To Infinity and Beyond!

Friends of My AS-606T: (RAID 5 with WD Black 2TB * 4, WD Red 2TB * 2)
MacBook Air (10.8) & Self-assembled Windows PC (Windows 7)
iPhone 4S (iOS 6) & iPad 2 (iOS 6)
Boxee Box, Logitech Squeezebox Duet
SONY HT-CT150 Sound Bar (Connected directly to the NAS via HDMI)
CISCO Linksys E4200
blackstar
Posts: 59
Joined: Thu Apr 25, 2013 3:37 am

Re: SSL Certificate

Post by blackstar »

Hi,
from what I was able to read and find out via some friends info, the generated certificate is already in a correct status (crt file with the correct format : enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----") along with a key file (private).

Based on this, will the last comand be enough ( cat myhost.crt >> myhost.key) and then import into cerficcate manager ?

Also, can we achieve two way certificate authentication (see http://linuxconfig.org/apache-web-serve ... entication) ? If so, does the provided website give enough information or is there additionnal/alternate procedures to follow?

Cheers.
User avatar
James.W@AST
Posts: 189
Joined: Wed Jun 06, 2012 12:50 am

Re: SSL Certificate

Post by James.W@AST »

blackstar wrote:Based on this, will the last comand be enough ( cat myhost.crt >> myhost.key) and then import into cerficcate manager ?
hmm I think this should work.
Also, can we achieve two way certificate authentication (see http://linuxconfig.org/apache-web-serve ... entication) ? If so, does the provided website give enough information or is there additionnal/alternate procedures to follow?
I have never done this before, but I think this is workable. As far as I know, if you edit the configuration file from CLI directly, restart apache won't restore it. It will only be restored when you use the Web GUI to modify it...
To Infinity and Beyond!

Friends of My AS-606T: (RAID 5 with WD Black 2TB * 4, WD Red 2TB * 2)
MacBook Air (10.8) & Self-assembled Windows PC (Windows 7)
iPhone 4S (iOS 6) & iPad 2 (iOS 6)
Boxee Box, Logitech Squeezebox Duet
SONY HT-CT150 Sound Bar (Connected directly to the NAS via HDMI)
CISCO Linksys E4200
blackstar
Posts: 59
Joined: Thu Apr 25, 2013 3:37 am

Re: SSL Certificate

Post by blackstar »

Unfortunately, there's no way to configure anything in WebGUI aside from protocol, port, virtual host destination path (in the nas folder tree) and desired name of the virtual hosts...

Is there really no way to make it so I can edit the virtual host until a new release allowing more configuration options comes out... ?

Cheers.
User avatar
Kapitein Haak
Posts: 333
Joined: Tue Oct 15, 2013 2:40 pm
Location: Stranded on the Dutch coast.

Re: SSL Certificate

Post by Kapitein Haak »

A shameless bump of this thread. I have generated a certificate for my registered domain with a trusted CA. I have then tried to import the certificate through the GUI, but was unsuccesful. Because I wanted to see if the problem was with the certificate itself, I dug up an manual to install certificates with lighttp. Modified the config files on the NAS, restarted the lighttp and there was the padlock and the certificate is just fine. So... has anyone had some succes in importing signed certificated through the GUI? I would prefer to import certificates through the GUI; even though my modification survives a reboot it'just doesn't feel right...

Best regards,
Kapitein Haak.
"What would the world be like without Captain Hook?"
---
"Homo sapiens non urinat in ventum" (A wise man doesn't piss into the wind), only in Amsterdam:
https://www.google.nl/maps/@52.36289,4. ... 312!8i6656
User avatar
Kapitein Haak
Posts: 333
Joined: Tue Oct 15, 2013 2:40 pm
Location: Stranded on the Dutch coast.

Re: SSL Certificate

Post by Kapitein Haak »

The issue was found by Asustor support and will be fixed in the next firmware. The certificate requires an additional NEWLINE at the end, as of the next release an Asustor NAS should also accept certificates without the additional NEWLINE.
"What would the world be like without Captain Hook?"
---
"Homo sapiens non urinat in ventum" (A wise man doesn't piss into the wind), only in Amsterdam:
https://www.google.nl/maps/@52.36289,4. ... 312!8i6656
dandy010
Posts: 4
Joined: Wed Oct 16, 2013 1:37 am

Re: SSL Certificate

Post by dandy010 »

Kapitein Haak wrote:A shameless bump of this thread. I have generated a certificate for my registered domain with a trusted CA. I have then tried to import the certificate through the GUI, but was unsuccesful. Because I wanted to see if the problem was with the certificate itself, I dug up an manual to install certificates with lighttp. Modified the config files on the NAS, restarted the lighttp and there was the padlock and the certificate is just fine. So... has anyone had some succes in importing signed certificated through the GUI? I would prefer to import certificates through the GUI; even though my modification survives a reboot it'just doesn't feel right...

Best regards,
Kapitein Haak.
Can I ask you about how you are intermediate certificate to the server installed?
Thank you.
Post Reply

Return to “Web Hosting”