QNAP Systems, Inc. - Network Attached Storage (NAS)



How to Use SSL Certificates to Increase the Connection Security to your QNAP NAS

1. Challenges and Solutions

When browsing the Internet, you may be at risk of exposing personal information. Messages you send and receive may not be secure, and the website you visit may not be authentic. This risk can apply both to the communication between you and a website and between you and your QNAP NAS. By using a Certificate and Private Key (TSL/SSL) for your NAS you can receive the following benefits and make the connection between you and your QNAP NAS more secure:

  1. Prevent eavesdropping when connecting to your/your company’s QNAP NAS.
  2. Prevent tampering and ensure that you are interacting with the correct QNAP NAS.
  3. You and other NAS users will no longer see a warning that the connection/website is insecure.
This warning message is displayed when a website does not have a proper SSL certificate.

In this application note we will address how to create a root certificate for your usage and a certificate for the QNAP NAS* by using OpenSSL and Windows Server. Detailed information on how Certificates, Private Keys and TSL/SSL work will not be addressed. For information regarding how to purchase myQNAPcloud SSL certificates, please refer to How to purchase and use myQNAPcloud SSL certificates?

*The methods provided are only for QNAP NAS and are not suitable for public websites.

2. Introduction

2.1. What is SSL?

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are cryptographic protocols designed to provide communications security over a computer network.

On your web browsers, there may already be some Root Certificates that have been signed by Root Certificate Authorities. So when you visit a website that is approved and trusted by one of the Root Certificate Authorities, your browser will recognize that site as trusted and establish a secure connection for your usage.

Most websites must go through the certificate process before they can be recognized by a Root Certificate Authority for public access. But as your NAS will only be accessed by its users, it is possible to act as a Root Certificate Authority by using OpenSSL and Windows Server. This allows you to establish a secure connection between your personal/company device and the NAS as shown below:

This article will show how to create self-signed Certificate using OpenSSL (left).
The last chapter will show how to create a root Certificate with Window Server (right).
QNAP Root Certificate Authority
QNAP Root Certificate on the Device
QNAP Certificate on NAS

For Home usage, you can also use http://www.selfsignedcertificate.com/ to quickly create a self-signed certificate without needing OpenSSL command line (this method is only recommended for home/private use). Please refer to Chapter 3.3 for more information.

2.2. System Requirement for OpenSSL

To create a Certificate and Private Key file to secure the connection with your QNAP NAS, you can use OpenSSL or purchase a Certificate from a trusted Certificate Authority. The OpenSSL package can be downloaded for Linux from: https://www.openssl.org/

For Windows and other operating systems, you can find other versions of OpenSSL developed by OpenSSL community members. In this example we use Win32OpenSSL. This can be downloaded from https://www.openssl.org/community/binaries.html

*Visual C++ 2008 must be installed before using OpenSSL in Windows. It can be downloaded from:

3. Create a Certificate

3.1. Using OpenSSL to create the Root Certificate

After downloading OpenSSL for Windows, decompress the package and you will see the following folders:

The content of Win32OpenSSL. In this example the package is saved in C:\OpenSSL-Win32

Right click on the Start button and open “Command Prompt (Admin)”. Then enter the following command:

CD C:\OpenSSL-Win32\bin

*Please adjust the file path for where you have saved the decompressed package.

Open "Command Prompt (Admin)" by right clicking on the Start button.
Use CD C:\OpenSSL-Win32\bin to go into the bin folder

Before starting, you may need to identify the OpenSSL configuration file. To manually set the configuration file path, enter the following command:

Set openssl_CONF=openssl.cnf QNAP
The openssl.cnf file name may differ depending on your version of OpenSSL. You will need to change the command accordingly.

After using this command line to create the private root key, you can choose to create the key (with up to 4096 characters). In this example we set the key to 2048 characters. This private key will be the basis of all trust for your certificate, therefore the command –des3 should be used to allow us to set a password for this key. This key and password must be kept secret. For creating a key without a password, you can remove the -des3 command:

openssl genrsa -des3 -out rootCA.key 2048 QNAP
Creating a password-protected root private key.

After the private key is created, use the following command to create and configure a self-signed certificate that is paired with the key. By changing the -days, you can decide the certificate's expiry date (we use 730 days as an example). After entering this command, you must enter the key's password and any additional information that will be stored in the certificate. In the Common Name section, please enter the name of this root certificate.

openssl req -x509 -new -nodes -key rootCA.key -days 730 -out rootCA.pem QNAP
Creating a certificate that is paired with the private key you created.

A private key called rootCA.key and an SSL certificate called rootCA.pem will now be saved in the bin folder. The certificate is self-signed, valid for 730 days, and it will act as the root certificate for a QNAP NAS when you create different certificates for each NAS.

The newly-created private key and SSL certificate.

3.2. Using OpenSSL to create a Certificate for your NAS

After creating the root certificate, use the following command to create another paired private key and certificate for your QNAP NAS. This is identical as creating a root private key and certificate. You can customized the characters of the key, but no password is required. When creating a certificate for a QNAP NAS, the Common Name must be the IP address or Host name* of the QNAP NAS.

*Some browsers may automatically deem an IP address as insecure and will still display a warning message.

openssl genrsa -out device.key 2048
openssl req -new -key device.key -out device.csr
Creating a private key and certificate for your QNAP NAS. Ensure that you enter the IP address/hostname (example.myqnapcloud.com) that you will use to connect to the QNAP NAS.

Two files will be saved to the bin folder called device.key and device.csr. You will need to enter the below command to sign the created certificate with the root certificate’s private key. You can decide the certificate's expiry date (we use 730 days as an example):

openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 730 QNAP
Signing device.csr. If you have created a password for rootCA.key you will need to enter it.

3.3. Using www.selfsignedcertificate.com to create a certificate for your NAS

It is possible to create a self-signed certificate on the internet. *Using http://www.selfsignedcertificate.com/, enter the IP address/hostname of your QNAP NAS and click "Generate". Please ensure that the entered address is the same you use to visit your NAS .

*Some browsers may automatically deem an IP address as insecure and will still display a warning message.

Enter the IP address/hostname of your QNAP NAS
Download the .key and .cert file.

4. Establish a Secure Connection

4.1. Configure the QNAP NAS to enable a secure connection

The above actions will create a new file called device.crt using the device.key, and you will be able to download address.cert and address.key from www.selfsignedcertificate.com. Now you must upload the content of the .crt (or .cert) and .key files to a QNAP NAS. Open these files with Notepad (or another text editor)*, log into your NAS, go to “Control Panel” > “Security” >“Certificate & Private Key”, copy the whole content of the key and certificate files to their respective fields, and click “Apply”.

*Do not use Microsoft Word to open the file. Do not use Word Wrap in your text editor.

These files are created or downloaded after the above process. Open them using Notepad or another text editor.
Copy the content from the key and certificate files and paste them into “Certificate and Private Key” in Control Panel.
Click Apply to upload the pasted key and certificate data.
The “Certificate & Private Key” status will change from using default settings to “Uploaded secure certificate being used”

Go to "Control Panel" > "Applications" > "Web Server" and check “Enable secure connection (HTTPS)”.

Enable a secure connection for the web server after applying the certificate

5. Uses Secure Connection

5.1. Store the Root Certificate in your devices and securely connect to your NAS

For root certificates created using OpenSSL, change the name of rootCA.pem to rootCA.crt*. For certificates created by www.selfsignedcertificate.com, change the name of address.cert to address.crt. Then transfer and open the renamed file to the device that will access the NAS.

*This may not be required for some operating systems. Different operating systems may use other methods to import certificates.

When importing the certificate in Windows, the certificate's information will be displayed for your confirmation. Click “Install Certificate” to store it on your PC. When asked where to store this Certificate, choose Trusted Root Certificate Authorities. Before finishing, Windows may ask you to confirm its origin. As it was created by yourself, you can click “Yes”. After installation, your browsers should start using this certificate*.

*Internet Explorer and Edge will use these certificates by default. Other browsers may use different methods for storing root certificates and you will need to manually configure them.

Import the rootCA.crt to your PCs that will access the QNAP NAS.

Close and reopen your browsers for the changes to take effect. In the address bar, enter https:// (Your NAS’s IP address or Host Name):(Your Secure Port) to login to the NAS. You will see the certificate message in the browser confirming that your NAS has been identified and that the connection is secure.

Once verified, your browser will correctly identify your website and confirm that the connection is secure.

6. Use Windows Server Certificate Authority to issue and manage the NAS’s certificate.

If you manage multiple devices using Windows Server Active Directory, you can create a root certificate using Windows Server and sign the certificate request of your QNAP NAS. To do so, please first install the Certificate Authority Management Tools in Windows Server. In this example we use Windows Server 2012.

You can find the “Certificate Authority Management Tools” in “Add Roles and Features"

After installing Certificate Authority Management Tools, you will find a new item (“AD CS”) in the left menu of Server Manager. This means Active Directory Certificate Services. In AD CS you must configure a root certificate for your network. You can follow the wizard to create a new Root Certificate using Windows Server or select an existing root certificate.

The Server Manager will inform you to configure your server Active Directory Certificate Services.
Follow the wizard to configure a root certificate. You can create a new root certificate or use an existing private key. In this example we create a new private key.
Confirm your settings after all of the options are completed. Different options can be selected for different usage requirements.

After the configuration is completed, your server will have the authority to sign a certificate. To use the server’s root certificate to sign your QNAP NAS, refer to Chapter 3.2 to create a certificate .csr file. Once the .csr file is created, find “Certificate Authority” in the Server Manager’s Tools menu.

The location of the Certificate Authority function.

In Certificate Authority you will be able to manage the certificates that were signed and issued by your server. To sign the certificate for the NAS, right click on your server, select “All Tasks” > “Submit new request” and find the .csr file that contains the IP address/Host name of your QNAP NAS*. In “Pending Requests”, find the request you just submitted and right click it to issue the certificate.

*There are other methods to create a .csr for your QNAP NAS without using the OpenSSL command line interface, including this website: https://www.gogetssl.com/online-csr-generator/

Submit a new certificate request for your NAS.
Find the .csr file you created for your NAS using OpenSSL.
Issue the certificate

Once the certificate is issued, select it in “Issued Certificates” and export the certificate to a file to upload its content to your QNAP NAS along with the private key (refer to Chapter 4.1). Your NAS will then use the certificate that was issued by your Windows Server.

Open Issued Certificates and select “Copy to File” when viewing your issued certificate.
Select "Base-64 encoded X.509 (.CER)" so that you can open the file with Notepad in Windows Server.
After following Chapter 4.1 to enter the Certificate and Key into your NAS, your NAS will be using the certificate issued by your Windows Server.
Release date: 2016-05-10
Was it helpful?
Thank you for your feedback.
Thank you for your feedback. If you have any question, please contact support@qnap.com
29% of people think it helps.