How to generate custom SSL certificates

From SynologyWiki

Jump to: navigation, search

Based on DS-106 firmware 2.0.3 - 0462 (confirmed working on Firmware 518)

Note: You will need Apache and Openssl ipkg for those who don't have SSL enabled firmware. Second Note: This post doesn't explain how to copy files to and from the Synology unit, how to enable telnet or how to install Apache and Openssl, It's not the purpose of this post. Tip: Make sure your time is set correctly on your syno box or you'll have to wait 8 hours for the certificate to become valid! Commands are in bold text. This will create a Version 1 Certificate Please read the post in it's entirety

WARNING - I nor Synology take no responsibility if you modify your system with this modification.


You'll need openssl.cnf in order to generate your certificates regardless if you don't want to use openssl.cnf and use openssl prompt for certificate information. Openssl will error without this file present. I provided a openssl.cnf for you to use for those who have ssl enabled firmware. This file must be placed in /usr/syno/ssl. You will need to create the ssl directory since it's not there. http://www.gateway-1.homedns.org/synology/openssl.cnf - right click and save as to download this file.

  • Telnet to your syno box. You should be in the /root/ directory by default or change it to /root/ for a working directory will need for generating our ssl certificates.


We'll need to generate a Certificate Authority key first.

  • openssl genrsa -des3 -out ca.key 1024

The command above will create your CA key with 1024 bits, don't use anything higher. The -des3 is for a pass phrase. If you don't want to use a pass phrase just remove it from the command.


Next, we need to generate a Certificate Signing Request

Special note on creating your Certificate Authority Certificate: When prompted to enter in your Common Name don't use your server name or DNS name that you'll be using when we get to the point of generating our certificate for the server. What I used for Common Name is Diskstation <mac address/without the colons> ie: "Diskstation 0011223344AB". For other Synology products use it's product host name and mac address. This info is provided on the info page of your synology unit.

  • openssl req -new -key ca.key -out ca.csr

Since we'll be signing our own ca cert will run the following command

  • openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt


Now we need to generate our server key and certificate.

When prompted to enter in your Common Name for your server certificate we can use our FQDN or server name ie www.myweb.com.

Another option that you might want to consider is using one with a wildcard so we can also used this certificate for ftp service. ie: *.myweb.com. With the wildcard ftp.myweb.com and www.myweb.com will have a valid host name and no host name mismatch.

For those of you who run Dynamic DNS service on their router as I do, use that as your Common Name. Make sure you have wildcards enabled.

  • openssl genrsa -des3 -out server.key 1024

The command above will create your server key with 1024 bits, don't use anything higher. The -des3 is for a pass phrase. If you don't want to use a pass phrase just remove it from the command.

  • openssl req -new -key server.key -out server.csr


Finally, sign the certificate signing request (csr) with the self-created certificate authority (CA) that you made earlier

  • openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Make a server.key which doesn't cause Apache to prompt for a password

Here we create an insecure version of the server.key. The insecure one will be used for when Apache starts, and will not require a password with every restart of the web server. But keep in mind that while this means you don't have to type in a password when restarting Apache (or worse -- coding it somewhere in plain text), it does mean that anyone obtaining this insecure key will be able to decrypt your transmissions. Guard it for permissions VERY carefully.

  • openssl rsa -in server.key -out server.key.insecure
  • mv server.key server.key.secure
  • mv server.key.insecure server.key


For safety, I would backup your current CSR's, KEY's and CRT's before copying over them. I would just make an in place backup copy of the current files with a .bak extension. Just in case things don't work out.

Note all your files that you will need to move over are in your root directory. Just find your current ones and replace them.


Following file locations are based on DS-106 firmware version 2.0.3 - 0462.

SSLCertificateFile /usr/syno/etc/ssl/ssl.crt/ca.crt /usr/syno/etc/ssl/ssl.crt/server.crt

SSLCertificateCSRFile /usr/syno/etc/ssl/ssl.csr/ca.csr /usr/syno/etc/ssl/ssl.csr/server.csr

SSLCertificateKeyFile /usr/syno/etc/ssl/ssl.key/ca.key /usr/syno/etc/ssl/ssl.key/server.key


When you restart your syno box and are able to connect by web ui then you should be good to go. Remember to wait a few minutes since it may take up to 2 or 3 minutes for your syno box to boot up, give it some extra time. Go take a well deserve break. If by chance apache fails to start, telnet back in and restore your backup copies.

  • If you got this far and everything is A O.K, copy your ca.crt to your workstation and import the certificate.

I hope that this post will help you as it did for me.

Final Thought: This is just one example. There are many more examples you can find on the internet.

Please reply to this post on success and failures.

Net...

Retrieved from "http://www.synology.com/wiki/index.php/How_to_generate_custom_SSL_certificates"
Personal tools