N2100 Fixing Certificate problems

From ThecusWiki

Contents [hide] 1 Prerequisites 2 Create certificate authority (CA) 3 Create SLL request (to be signed by CA) 4 Sign SSL request by CA 5 Remove password from certificate 6 Copy whole enchilada to Apache 7 Restart Apache 8 Import certificate authority into webbrowser 9 Optional: Start from scratch

Prerequisites

The following instructions require (as of today not released yet) SSH module version 2.0.00 plus some experience using the command line interface. First you will generate your own certificate authority (CA) to replace the Thecus dummy CA. Then you're going to create a certificate for your N2100.

Start by thinking about some strong passphrase to use for your CA plus some run basic passphrase for your certificate request. Write both down, you will be asked for those two more than once.

Login to your N2100 and change to directory /raid/module/SSH

Create certificate authority (CA)

export SSLEAY_CONFIG="-config /usr/etc/openssl/openssl.cnf"
/usr/etc/openssl/misc/CA.sh -newca

Give a meaningful name to Common Name (hostname, IP, or your name) like My Thecus CA.

Create SLL request (to be signed by CA)

export SSLEAY_CONFIG="-config /usr/etc/openssl/openssl.cnf"
/usr/etc/openssl/misc/CA.sh -newreq

Enter the hostname of your N2100 or preferrably a FQDN (fully qualified domain name) for Common Name (hostname, IP, or your name) [] like thecus.freeside.ch. If you do not have an FQDN your N2100 will keep bugging you that the certificate is not belonging to your machine.

Sign SSL request by CA

export SSLEAY_CONFIG="-config /usr/etc/openssl/openssl.cnf"
/usr/etc/openssl/misc/CA.sh -sign

Remove password from certificate

openssl rsa -in newkey.pem -out key.pem

Copy whole enchilada to Apache

cp key.pem		/opt/apache/conf/ssl.key/server.key
cp newcert.pem		/opt/apache/conf/ssl.crt/server.crt
cp demoCA/cacert.pem	/opt/apache/conf/ssl.crt/ca-bundle.crt
cp demoCA/cacert.pem	/img/htdocs/mythecusca.pem

Restart Apache

/opt/apache/bin/apachectl -k graceful

Import certificate authority into webbrowser

The location of the CA file is http://mythecus/mythecusca.pem. Now it's time to introduce your new CA to all of your web browsers. The instructions are different for each of them. Please be aware that file mythecusca.pem will disappear from the aformentioned location after a reboot of your N2100.

Firefox 

double click file in Firefox, when asked accept certificate for identifying webservers only.

Safari 

download file to the desktop, then double click and choose add to X509Anchors keychain

IE 

download file to the desktop, then double click and choose install

Optional: Start from scratch

cd /raid/module/SSH
rm -rf *.pem ./demoCA
mkdir ./demoCA
echo '100001' > ./demoCA/serial
touch ./demoCA/certindex.txt