ReadyNAS Duo V2

Software

 

SSL Certificate (example using CACert)

You then have to download the CAcert root certificate from http://www.cacert.org/certs/class3.crt. Just use wget to save it into /etc/ssl on your NAS:

cd /etc/ssl
wget http://www.cacert.org/certs/class3.crt

A well documented config file for OpenSSL exists in /etc/ssl/openssl.cnf. You have to change some things in this file to correct pathes and filenames used. Open the file with vi and change the corresponding, marked with >>> lines to:

[ CA_default ]
>>>dir             = /etc/ssl         # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
new_certs_dir   = $dir/newcerts         # default place for new certs.

>>>certificate     = $dir/class3.crt       # The CA certificate
serial          = $dir/serial           # The current serial number
#crlnumber      = $dir/crlnumber        # the current crl number must be

crl             = $dir/crl.pem          # The current CRL
>>>private_key     = $dir/private/ReadyNAS_caCertwithoutPW.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
>>>#name_opt        = ca_default            # Subject Name options
>>>#cert_opt        = ca_default            # Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

Next step is to create an own private key for the NAS. Type in

openssl genrsa -des3 -out private/ReadyNAS_caCert.pem 1024

to create it into the dircetory /etc/ssl/private. You will be asked for a passphrase, rember this!

To make the apache on the NAS use the certificate later on without that the user has to enter the passphrase, just form the private key:

openssl rsa -in private/ReadyNAS_caCert.pem -out private/ReadyNAS_caCertwithoutPW.pem

Now we are ready to create the request for the certificate:

openssl req -new -key private/ReadyNAS_caCertwithoutPW.pem -out ReadyNASReq.pem

You will have to answer some questions, a template is written in the config file /etc/ssl/openssl.cnf, if you have questions on them, have a look on this well documented file.

The former step created a request file into /etc/ssl. You have to copy the content oif this file and paste it into the corresponding form on the CAcert website. You will get the content of the certificate as an answer on the site. Copy the text and save it into a file /etc/ssl/certs/ReadyNASCert.pem.

We don’t want to change anything at the apache configuration (ok, i don’t want to explain how to do this, so we use an easier way… 8) ).
Apache on the NAS reads the SSL certificate and private key from a combined file /etc/frontview/apache/apache.pem. Make a backup of this file and fill in the content of your private key first and the content of the newly created certificate. After saving and leaving vi by typing “:wq”, you have to restart the apache:

mv /etc/frontview/apache/apache.pem /etc/frontview/apache/apache.pem.orig
vi /etc/frontview/apache/apache.pem
killall apache-ssl
/usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf
# Comment out the following two lines for the "traditional" # (and highly broken) format. >>>#name_opt = ca_default # Subject Name options >>>#cert_opt = ca_default # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy

Next step is to create an own private key for the NAS. Type in

openssl genrsa -des3 -out private/ReadyNAS_caCert.pem 1024

to create it into the dircetory /etc/ssl/private. You will be asked for a passphrase, rember this!

To make the apache on the NAS use the certificate later on without that the user has to enter the passphrase, just form the private key:

openssl rsa -in private/ReadyNAS_caCert.pem -out private/ReadyNAS_caCertwithoutPW.pem

Now we are ready to create the request for the certificate:

openssl req -new -key private/ReadyNAS_caCertwithoutPW.pem -out ReadyNASReq.pem

You will have to answer some questions, a template is written in the config file /etc/ssl/openssl.cnf, if you have questions on them, have a look on this well documented file.

The former step created a request file into /etc/ssl. You have to copy the content oif this file and paste it into the corresponding form on the CAcert website. You will get the content of the certificate as an answer on the site. Copy the text and save it into a file /etc/ssl/certs/ReadyNASCert.pem.

We don’t want to change anything at the apache configuration (ok, i don’t want to explain how to do this, so we use an easier way… 8) ).
Apache on the NAS reads the SSL certificate and private key from a combined file /etc/frontview/apache/apache.pem. Make a backup of this file and fill in the content of your private key first and the content of the newly created certificate. After saving and leaving vi by typing “:wq”, you have to restart the apache:

mv /etc/frontview/apache/apache.pem /etc/frontview/apache/apache.pem.orig vi /etc/frontview/apache/apache.pem killall apache-ssl /usr/sbin/apache-ssl -f /etc/frontview/apache/httpd.conf

original forum post