Advertisements

QNAP SSL Management

private-keep-outSmart network drives are full featured appliances. They store. They serve. They include fully functional web servers that become enabled by checking off a box (or disabled by un-checking the box), and SSL management is mostly easy to perform. In real life, SSL management is not knowledge anyone is born with. It’s abstract and usually explained poorly or over explained well past the point of interest. Few people grasp the concept of SSL certificates quickly or on the first attempt at learning. Traditionally, Bob and Alice are dusted off and used to humanize concepts most people don’t really need to know just to make, install, and use SSL certificates. Bob and Alice tell a good story if you want to know how encryption works. Bob and Alice usually don’t explain anything about making, installing, or managing SSL certificates.

All smart network drives appear to treat SSL more directly. This is the QNAP way. In fact, QNAP offers a tutorial on how to install an SSL certificate. It’s easy to follow and might be all you need.

The QNAP instructions don’t cover what to do if you already have an SSL certificate and it’s been installed in a web server. It’s not hard to extract a copy from the web server, separate the server certificate from the private key, and then install both just as if you made them yourself. OpenSSL can do that, too.

Going Off On a Tangent

The QNAP / OpenSSL  instructions give you the minimum requirements for an SSL certificate. One of the confusing things about OpenSSL is all the different explanations you  get when you ask Google to look up how others use it. As you become experienced, you realize that all are basically taking you to the same end result, they just say it differently from each other and from me.

[April 13, 2014 Heartbleed bug update: OpenSSL has a recently discovered security bug called Heartbleed that is said to have been repaired starting with version 1.01g and above. Version 1.02 will be secure, according to articles available on the internet. The bug will allow a knowledgeable hacker to pierce a part of the encryption so that much is in the clear. More information is available here.]

QNAP is asking you to create a private key and a root certificate. In this instance the root certificate is also being used as the server certificate.

In real life, the company, or certificate authority, you purchase an SSL certificate from keeps their private key in a secure vault probably 100 feet underground. Their root certificate is freely distributed and is usually installed as a standard feature in Windows, Linux, and all commonly available browsers that maintain their own certificate store. (Some browsers use the PC certificate store.) The root certificate they give away validates the authenticity of the SSL certificate you purchased from them.

The QNAP way is the simplest and will work effectively, providing you distribute and install the root / server certificate to all PCs, browsers, and devices that will access the SSL features of your QNAP web server.

OpenSSL also permits you to make separate root certificates and server certificates. IIS and the Certificate Signing Request explains how to use IIS and create a CSR, or certificate signing request. The CSR is just a little file that OpenSSL (or your outside certificate authority)  uses to to make your SSL certificate. When you use Microsoft Internet Information Services (IIS) to make a CSR, IIS also creates your private key. This private key stays behind in IIS and is not a part of the CSR. OpenSSL uses the CSR to make your SSL certificate. Later, you import the SSL certificate into IIS (and bind it to port 443).

In simple terms, OpenSSL uses your root certificate and its private key to process the CSR to generate an SSL certificate and sign it. The act of signing the SSL certificate associates the root certificate with the SSL certificate. This permits the PC or browser look at the certificate store and validate the SSL certificate as genuine.

You can also export an SSL certificate from IIS and use OpenSSL to extract both the private key and the server certificate. These two files can then be imported into QNAP just as if you generated them by following the QNAP instructions. You would do this only if you already had an SSL certificate in an existing web server such as IIS and you wanted to maintain the same structures in the QNAP drive.

Making a Server Certificate and Private Key

The QNAP instructions cover this well, so it seems redundant to duplicate them in my own words. I’ll just add a little depth and include a few pictures.

There’s another site that you can download OpenSSL from. It includes the 64-bit installer. The official OpenSSL web site  links to it. The ‘light’ version works well. The full version contains additional programming that’s not required for basic certificate management.

Make sure to open the command console with administrator privileges (right click, Run as administrator). Otherwise, you’ll get confusing error messages when you run OpenSSL.

When you generate the private key, use 2048, not 1024, as the key length. 2048 is the new normal for SSL. Key lengths larger than 2048 require additional computing power to use and don’t realistically improve your level of security.

When you’re generating the server certificate, the only field you need to respect completely is Common Name. This is where you enter your URL. If your DNS name is ABCXYZ_Manufacturing_INC.com, that’s what you type into Common Name.

The QNAP Method, Illustrated

After you use OpenSSL to create your private key and server certificate, use Notepad.exe to open each file. Then copy and paste the contents to QNAP.

The QNAP certificate and key entry screen … before.

qnapssl01

###

A typical private key file (adulterated for privacy purposes)

qnapssl01a

###

A typical certificate file (also adulterated)

qnapssl01b

###

The certificate and key entered into QNAP. Click upload. Done.

qnapssl01c____________________

Activate the Web Server, Turn On SSL, Port Forward, and Test

Activate the web Server built into QNAP. Turn on SSL. (check the boxes)

qnapssl02

###

Go into your router’s configuration. Enable DDNS, forward ports 80 and 443 to the local IP address of your QNAP device.

qnapssl07###

Test SSL.

qnapssl06____________________

If You Already Have A Server Certificate in IIS And Want to Use It

Follow these steps:

  • Go to IIS.
  • Select the certificate to export.
  • Click export.
  • Finally, answer the prompt for where to save it and the password to use to protect it. The export file contains both your SSL certificate and your private key.
  • Later, you’ll use OpenSSL to split the exported certificate into two files. These are the files you import into QNAP in exactly the same way as illustrated earlier.

qnapssl05aqnapssl05bqnapssl05c

____________________

Now, go to OpenSSL and split the certificate into two files. After you make the split, you’ll need to remove the password protection from the new key file, otherwise QNAP will have problems with it. The first password you enter is the one you made up when you created the .pfx file. The other one is used to protect the new, exported key file.

Export the certificate.

When you copy this file into QNAP, ignore (don’t copy) the part before ‘—BEGIN CERTIFICATE’.

openssl pkcs12 -in exported.pfx -out exported.crt -nokeys

qnapssl05d

###

Export the key.

openssl pkcs12 -in exported.pfx -out exported.key -nocerts

qnapssl05e###

Remove the password from the newly exported key.

openssl rsa -in exported.key -out qnap.key

Now, load exported.crt and qnap.key into QNAP using a text editor. Done.

qnapssl05f____________________

Advertisements