Sunday, April 3, 2011

Replacing self-signed certificate on Synology Disk Station running DSM 3.x with a StartSSL certificate using command line (advanced)

Introduction
I love my Synology Disk Station but been wanting to replace the self-signed certificate, with a certificate from a widely trusted Certificate Authority for a long time.

Unfortunately, even with DSM version 3.0, there is still no way to do this through the web interface. I seem to stand corrected - At Control Panel/Web Services/HTTP Service Options, there is actually an "Import Certificate" button. Haven't tried it myself, but looks like it is possible after all. On the bright side, I gathered a lot of knowledge setting this up through the command line :-).

Through Googling, trial and error, I managed to replace the self-signed certificate with a free, validated certificate from StartSSL.

I am now better protected against man-in-the-middle attacks, as I am presented with a validated certificate from a trusted source, rather than a self-signed certificate which I must choose to trust each time I connect.

The usual disclaimer: I am by no means a *nix wiz. Since this was not as straightforward as it should have been, I decided to post the steps so other people can benefit from it. Use any of the information here to your heart's content, but do not blame me if something goes horribly wrong.

Any corrections, suggestions and other feedback is well appreciated.

Preparation
Ensure telnet/SSH access to the Disk Station is enabled and login as root, e.g. using PuTTY.

DSM 3.0 seems to be missing the openssl.cnf file, which is expected at /usr/syno/ssl/openssl.cnf.

Download the sources from the appropriate version of OpenSSL from http://www.openssl.org/source/, then extract openssl.cnf from /apps/ in the tar ball to a directory on your Synology, e.g. /volume1/share/.

To check your version of OpenSSL:
openssl version
My DS207+ running DSM 3.0 has OpenSSL 1.0.0a (1 Jun 2010).

Update: After upgrading my DS207+ to DSM 3.1 (build 1636), I'm now on OpenSSL 1.0.0c (2 Dec 2010). My DS108j running DSM 3.1 (build 1748) is running OpenSSL 1.0.0d (8 Feb 2011).

Create the directory /usr/syno/ssl and copy openssl.cnf to it:
mkdir /usr/syno/ssl/
cp /volume1/share/openssl.cnf /usr/syno/ssl/
Next, generate a temporary working folder (e.g. /usr/local/ssl/) and change directory to that:
mkdir /usr/local/ssl
cd /usr/local/ssl

Generating the private key and certificate request
Now create a new private key for encryption of the SSL session. OpenSSL will force you to protect the key with a password:
openssl genrsa -out server.protected.key 2048
The password protection must be removed, before the key can be used by the web interface:
openssl rsa -in server.protected.key -out server.key
Create a certificate request (CSR) based on the new key:
openssl req -new -key server.key -out server.csr
You do not necessarily have to enter all details - it depends on what your certificate provider requires. The most important is the "Common Name", which must exactly match the DNS name used to access the Synology, e.g. mysynology.dyndns.org.

With class 1 validated certificates, much of the information you can input to the request, is often discarded by the certificate provider. E.g. only country and common name (CN) is used by StartSSL discards all information from the CSR except the public key.

Depending on your certificate providers request procedure, either upload the server.csr file or copy the contents of the file and paste into the providers website when prompted.

To output the contents:
cat server.csr

Installing the files
  • Save the issued certificate to a directory on the Synology, e.g. /volume1/share/server.crt
  • Copy the certificate to the working folder created:
    cp /volume1/share/server.crt /usr/local/ssl
  • Change into the Synology certificate folder
    cd /usr/syno/etc/ssl
  • Make a backup folder for the old files:
    mkdir bak
  • Copy the old files into the backup folder:
    cp -r ssl.crt bak
    cp -r ssl.csr bak
    cp -r ssl.key bak
  • Remove the self-signed CA certificate and associated files:
    rm ssl.crt/ca.crt
    rm ssl.csr/ca.csr
    rm ssl.key/ca.key
  • Copy the new files to the current folder:
    mv /usr/local/ssl/server.crt ssl.crt
    mv /usr/local/ssl/server.csr ssl.csr
    mv /usr/local/ssl/server.key ssl.key
  • Restart your Synology Station:
    reboot

Thanks to

4 comments:

  1. No point? Its been proven that the government can see everything with their supercomputers.

    No regular user can type this stuff in the terminal let alone find this post.

    Only thing this does is remove the Red screen of death from our browsers haha!

    Thx for trying

    ReplyDelete
  2. This post was very helpful in understanding the synology better. I've been trying to install a 3rd party trusted SSL on my DS710+ for days and I must be missing something. I understand there is a key, a certificate, and a CSR, but the Synology uses a GUI to "import" these. So my question is,.. Do I still need to use the command line via SSH to create the key? So, do we use the GUI "or" the cmd line, or both to get the job done? Thanks again for this post.

    ReplyDelete
    Replies
    1. Hmm, would have thought Blogger would somehow notify me about new comments, but it didn't.

      I haven't used the GUI for importing certificates, but my certificates from StartSSL are up for renewal within a week or two, so I can try the GUI method instead and see how it goes.

      Delete
  3. Too bad StartSSL doesn't support sub-domains validating anymore.

    ReplyDelete