Last active
December 18, 2024 21:18
Revisions
-
xirkus revised this gist
Oct 28, 2020 . 1 changed file with 5 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -93,4 +93,8 @@ Follow the instructions above to create a new self-signed certificate. We will b # Caveats - The DSM does _NOT_ allow you to specify the certificate `Validity Period` for the root certificate/orignal cert. Strangely, it does allow you to specify it when using the `CSR` functionality. # TODO - [ ] provide the `openssl` command to generate the CSR -
Oct 28, 2020 . 1 changed file with 4 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -90,3 +90,7 @@ Follow the instructions above to create a new self-signed certificate. We will b 1. **Download the signed certificate.** 1. **Import the `cert.pem` into Keychain Manager. Because this certificate was signed by the root certificate already granted `Trust`, this certificate should JUST WORK (fingers crossed).** # Caveats - The DSM does _NOT_ allow you to specify the certificate -
Oct 28, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -89,4 +89,4 @@ Follow the instructions above to create a new self-signed certificate. We will b 1. **Download the signed certificate.** 1. **Import the `cert.pem` into Keychain Manager. Because this certificate was signed by the root certificate already granted `Trust`, this certificate should JUST WORK (fingers crossed).** -
Oct 28, 2020 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -75,15 +75,15 @@ Follow the instructions above to create a new self-signed certificate. We will b ## Use the DSM CSR functionality to sign the new certificate 1. **Navigate to `Control Panel` -> `Security` -> `Certificates` on the DSM and click the `CSR` button.** 1. **In the `Create certificate` dialog box, select the `Sign certificate signing request` option and click `Next`.**  > **NOTE:** Ensure that you use the correct certificate root you generated previously to ensure that the new certificaate is associated with this self-signed CA. 1. **Upload the CSR generated via `openssl` in the previous step. Ensure that the `Subject Alternative Name` matches the local non-FQDN name of the server you are associating with this certificate.**  -
Oct 28, 2020 . 1 changed file with 25 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -61,8 +61,32 @@ Usually, when you add network devices to your personal private network, they are # Generate another certificate using the previously generated Diskstation root certificate You can use this procedure to create SSL certificates for other machines on your network. ## Generate another certificate Follow the instructions above to create a new self-signed certificate. We will be reusing the original the _ORIGINAL_ generated root certificate (`syno-ca-cert.pem`) and private key (`syno-ca-privkey.pem`) to create a **certificate signing request (CSR)** for this new certificate. ## Create a certificate signing request for the generated cert ```sh % openssl ``` ## Use the DSM CSR functionality to sign the new certificate 1. **Navigate to `Control Panel` -> `Security` -> `Certificates` on the DSM and click the `CSR` button. 1. **In the `Create certificate` dialog box, select the `Sign certificate signing request` option and click `Next`.  > **NOTE:** Ensure that you use the correct certificate root you generated previously to ensure that the new certificaate is associated with this self-signed CA. 1. **Upload the CSR generated via `openssl` in the previous step. Ensure that the `Subject Alternative Name` matches the local non-FQDN name of the server you are associating with this certificate.  1. **Download the signed certificate.** 1. **Import the `cert.pem` into Keychain Manager. Because this certificate was signed by the root certificate already granted `Trust`, this certificate should JUST WORK. -
Oct 28, 2020 . 1 changed file with 11 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -40,25 +40,29 @@ Usually, when you add network devices to your personal private network, they are - `syno-ca-cert.pem`- The public key for the generated root certificate - `privkey.pem` - The private key for the generated server certificate (which matches the `Subject Alternative Name`/local non-FQDN) - `cert.pem` - The public key for the generated server certificate (which matches the `Subject Alternative Name`/local non-FQDN) ## In MacOS/OSX use Keychain Access to import the certificates 1. **Import the `syno-ca-cert.pem` public key (either by clicking on it or using the `Import Items` option in Keychain Manager.** > **NOTE:** You will be asked to provide your administrative password as these items are being added to the machine's keystore. _These should be stored in the `System` Keychain._ ### Grant the root certificate `Always Trust` privileges 1. **The `syno-ca-cert.pem` is the self-signed root certificate responsible for being the certificate authority for additional certificates. Trusting this certificate means that additional certs which use this as their CA will _automatically_ be trusted.** 1. **To set this to `Always Trust`, select the root certificate in the Keychain Manager and right-click to `Get Info`. This should bring up a dialog box. Note that there are two sections - `Trust` and `Details`. Expand the `Trust` section and in the `when using this certificate` field, select `Always Trust`.**  ### Import the associated SSL certificate for the Diskstation 1. **The `cert.pem` is the self-signed server certificate that can be used to establish `https` connections to the machine. Follow the import procedure you used for the root certificate. Unlike the root certificate, you will _NOT_ need to set the `Trust` on this certificate explicitly as it will be inherited from the root certificate previously configured.** # Generate another certificate using the previously generated Diskstation root certificate ## Generate another certificate ## Create a certificate signing request for the generated cert ## Use the CSR functionality to sign the certificate with the original generated root certificate -
Oct 28, 2020 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,11 +30,11 @@ Usually, when you add network devices to your personal private network, they are # Download the generated certificates and import them into your certificate manager. 1. **Right click on the new certificate and choose the `Export certificate` option. This will download all of the certificates into an `archive.zip` file.**  1. **Unpack the `archive.zip` file. This should contain the following files:** - `syno-ca-privkey.pem` - The private key for the generated root certificaate - `syno-ca-cert.pem`- The public key for the generated root certificate -
Oct 28, 2020 . 1 changed file with 14 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -30,7 +30,20 @@ Usually, when you add network devices to your personal private network, they are # Download the generated certificates and import them into your certificate manager. 1. **Right click on the new certificate and choose the `Export certificate` option. This will download all of the certificates into an `archive.zip` file.  1. **Unpack the `archive.zip` file. This should contain the following files: - `syno-ca-privkey.pem` - The private key for the generated root certificaate - `syno-ca-cert.pem`- The public key for the generated root certificate - `privkey.pem` - The private key for the generated server certificate (which matches the `Subject Alternative Name`/local non-FQDN) - `cert.pem` - The public key for the generated server certificate (which matches the `Subject Alternative Name`/local non-FQDN) ## In MacOS/OSX use Keychain Access to import the certificates ### Grant the root certificate `Always Trust` privileges -
Oct 28, 2020 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,12 +15,15 @@ Usually, when you add network devices to your personal private network, they are  1. **Fill in the `Description` (something which identifies this local cert). Choose the `Create self-signed certificate` option and click `Next`.**  1. **Fill in the root certificate details and click `Next`.**  1. **Specify the `Subject Alternative Name` which should match the local non-FQDN name of the machine on your network. Click `Next`.**  > **WARNING:** The certificate _MUST_ have a `Subject Alternative Name` which matches the the local non-FQDN name or Chrome (not Firefox) will show an insecure connection when access this machine although https is being used. -
Oct 28, 2020 . 1 changed file with 9 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,13 +10,18 @@ Usually, when you add network devices to your personal private network, they are 1. **Navigate to `Control Panel` -> `Security` -> `Certificates`.**  1. **Click on `Add`. This should bring up the `Create certificate` dialog. Choose `Add a new certificate` and click `Next`.**  1. **Fill in the `Description` (something which identifies this local cert). Choose the `Create self-signed certificate` option and click `Next`.**  1. **Fill in the root certificate details and click `Next`.**  1. **Specify the `Subject Alternative Name` which should match the local non-FQDN name of the machine on your network. Click `Next`.**  > **WARNING:** The certificate _MUST_ have a `Subject Alternative Name` which matches the the local non-FQDN name or Chrome (not Firefox) will show an insecure connection when access this machine although https is being used. -
Oct 28, 2020 . 1 changed file with 8 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,8 +10,15 @@ Usually, when you add network devices to your personal private network, they are 1. **Navigate to `Control Panel` -> `Security` -> `Certificates`.**  1. **Click on `Add`. This should bring up the `Create certificate` dialog. Choose `Add a new certificate` and click `Next`.**  1. **Fill in the `Description` (something which identifies this local cert). Choose the `Create self-signed certificate` option and click `Next`.**  1. **Fill in the root certificate details and click `Next`.**  1. **Specify the `Subject Alternative Name` which should match the local non-FQDN name of the machine on your network. Click `Next`.**  > **WARNING:** The certificate _MUST_ have a `Subject Alternative Name` which matches the the local non-FQDN name or Chrome (not Firefox) will show an insecure connection when access this machine although https is being used. # Download the generated certificates and import them into your certificate manager. -
Oct 28, 2020 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,9 +8,10 @@ Usually, when you add network devices to your personal private network, they are # Generate the Certificate on the Diskstation 1. **Navigate to `Control Panel` -> `Security` -> `Certificates`.**  1. **Click on `Add`. This should bring up the `Add Certificate` dialog. # Download the generated certificates and import them into your certificate manager. -
Oct 28, 2020 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,8 +8,9 @@ Usually, when you add network devices to your personal private network, they are # Generate the Certificate on the Diskstation 1. **Navigate to Security -> Certificates.**  1. # Download the generated certificates and import them into your certificate manager. -
Oct 28, 2020 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,6 +8,9 @@ Usually, when you add network devices to your personal private network, they are # Generate the Certificate on the Diskstation 1.  # Download the generated certificates and import them into your certificate manager. ## In MacOS/OSX using Keychain Access -
Oct 19, 2020 . 1 changed file with 21 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,12 +1,30 @@ It's possible to use a Synology Diskstation's Certificate generation functionality to create a set of privately scoped (non-FQDN) self-signed SSL certificates that you can use to provision internal network services so that connecting to them does not cause your browser to throw warning messages (or in the case of Chrome, prevent you from connecting at all). # Rationale Usually, when you add network devices to your personal private network, they are refereneced by IP addresses as naming requires either maintaining individual host files on each machine or setting up DNS. The first is pretty cumbersome; the second seems like overkill (unless you're a masochist, which I have been in the past). As an alternative, I considered using locally scoped names associated with fixed IPs associated via a light-weight DNS resolver (in my case, using `unbound` running on my Raspberry Pi with Pi-Hole). **WARNING: This is clearly a *HACK* and is not intended to be used for production environments. If you need full SSL certificates on your internal network, you'll need to configure split-horizon DNS with a FQDNs and a certificate provider (probably LetsEncrypt if you're trying to do this for free, which Diskstation supports).** # Generate the Certificate on the Diskstation # Download the generated certificates and import them into your certificate manager. ## In MacOS/OSX using Keychain Access ### Grant the root certificate `Always Trust` privileges ### Import the associated SSL certificate for the Diskstation # Generate another certificate using the previously generated Diskstation root certificate ## Generate another certificate ## Create a certificate signing request for the generated cert ## Use the CSR functionality to sign the certificate with the original generated root certificate > **WARNING:** Do **NOT** forget to specify the Subject Altnerative Name as Chrome will not see the certificate as valid without this. -
Oct 19, 2020 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,13 @@ It's possible to use a Synology Diskstation's Certificate generation functionality to create a set of privately scoped self-signed SSL certificates that you can use to provision internal network services so that connecting to them does not cause your browser to throw warning messages (or in the case of Chrome, prevent you from connecting at all). # Rationale Usually, when you add network devices to your personal private network, they are refereneced by IP addresses as naming requires either maintaining individual host files on each machine or setting up DNS. The first is pretty cumbersome; the second seems like overkill (unless you're a masochist, which I have been in the past). As an alternative, I considered using locally scoped names associated with fixed IPs associated via a light-weight DNS resolver (in my case, **WARNING: This is clearly a *HACK* and is not intended to be used for production environments. If you need full SSL certificates on your internal network, you'll need to configure split-horizon DNS with a fully qualified domain name (FQDN) and a certificate provider (probably LetsEncrypt if you're trying to do this for free).**