Blogs‎ > ‎

Creating Self-Signed SSL Cert for QNAP NAS

posted 28 Jun 2015, 13:24 by Andrew at Lycom   [ updated 28 Jun 2015, 13:25 ]
The default install of a QNAP NAS uses a generic SSL which will give your browser fits of the vapours each time you visit it.

After a while, you may feel the need to remedy this. Here's how to do it (cribbed from the QNAP guide here.)

On my Linux CentOS box with OpenSSL installed:

openssl genrsa -out priv.key 1024

then

openssl req -new -key priv.key -out server.crt -x509 -days 365

which asks you to supply various information, the most important being the last bit 'common name' which should be the hostname in DNS of your NAS box.

Next, in the NAS web admin interface, go to Security / Certifiicate and Private Key and paste the contents of server.crt into the first box, then the contents of prov.key into the second. Apply and reload the web interface - you should get a warning message but with the new hostname of your NAS. 

Client SSL Configuration


You will need to get your browser to trust this SSL cert.

In Google Chrome, I clicked the SSL padlock, saved the SSL file (export) then in

chrome://settings

I went to Advanced / Http/SSL and manage certificates, then imported the downloaded SSL key file.  Reload the NAS website and your SSL site should load without the usual raft of 'danger unsafe' warnings.

A More Secure SSL Configuration?


The default procedure listed above gives you and SHA-1 certificate:

PKCS #1 SHA-1 With RSA Encryption

A better configuration would involve an SHA-2 certificate (see why here). However, when I did:

openssl req -new -key priv.key -out my-sha2-server.crt -days 365 -sha256

and then tried to load into the QNAP NAS, it could not load the keys. I suspect that means it can't accept SHA-2 certificates? Hmmm, one to ponder for the future ...