Pages

Tuesday, 29 April 2014

Secure your NAS with a trusted certificate

With all the security buzz around heartbleed I decided to secure my QNAP NAS just a little more, so I reconfigured it to only allow SSL connections.

However, because I have a twisted mind, I just couldn’t live with the browser complaints about using a non trusted certificate…. I had a quest… :)

Step 1: Buy yourself a certificate

Since I was not willing to pay a lot of money to fulfil my needs I ended up at [SSLs.com] (https://www.ssls.com/) where I could buy a certificate for only 4.99$ a year.

So I bought myself a certificate.

Note: There is only one thing you have to know before you buy a certificate: you need an approver email linked to the domain that you use for your certificate. Most often this means that you will be the domain owner for the domain linked to your certificate.

Here’s an example: if you want to buy a certificate for qnap.example.com the approver email has to be one of the following:

  • admin@example.com
  • administrator@example.com
  • hostmaster@example.com
  • postmaster@example.com
  • webmaster@example.com

If you have access to the approver email you can just go on and buy yourself a certificate.

Step 2. Get your keys

The next step is to get yourself a pair of keys. The easiest way to do this is via openssl.

openssl req -nodes -newkey rsa:2048 -keyout qnap.key -out qnap.csr

This statement will deliver you two files:

  • qnap.key: your private key (as the name says, keep it private!)
  • qnap.csr: your Certificate Signing Request

Step 3: Activate your certificate.

Activate your certificate by submitting your CSR at the merchant where you bought your certificate.

  • To copy your certificate to the clipboard

    pbcopy < qnap.csr
    

Step 4: Add your trusted certificate to your NAS

Once you’ve submitted your CSR you’ll get two new certificates in return: a Web Server CERTIFICATE and a INTERMEDIATE CA.

All there is left to do is to add the certificate to your QNAP NAS.

ssh admin@qnap.host

vim /etc/stunnel/stunnel.pem

Note: you can find a cheat sheet on how to use vim here.

Add your certificates and key like this: - First your private key - Secondly your Web Server CERTIFICATE - Then your INTERMEDIATE CA

    -----BEGIN RSA PRIVATE KEY-----
    [characters]
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    [characters]
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    [characters]
    -----END CERTIFICATE-----

You can now safely go to: https://qnap.example.com