*New 11.3 series Release:
2019-10-05: XigmaNAS - released, 11.2 series are soon unsupported!

*New 12.0 series Release:
2019-10-05: XigmaNAS - released!

*New 11.2 series Release:
2019-09-23: XigmaNAS - released!

We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

[HOWTO] create a self signed cert to use HTTPS

General information about XigmaNAS
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
User avatar
Site Admin
Site Admin
Posts: 4921
Joined: 22 Jun 2012 22:13
Location: Madrid (ESPAÑA)
Status: Offline

[HOWTO] create a self signed cert to use HTTPS


Post by raulfg3 » 08 Jun 2019 20:57

I use the well explained method described here:
Spanish https://magmax.org/blog/creando-tu-prop ... adora-ssl/
English https://datacenteroverlords.com/2012/03 ... authority/

more info on: https://support.citrix.com/article/CTX227983

But I modified some things to use SAN

1 - Create a private key for CA

Code: Select all

openssl genrsa -out rootCA.key 2048
2 - self firm this key for CA

Code: Select all

openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
you generate 3 files on root (I use winSCP to show files):
This files must be saved in a safe place and uploaded to your Firefox and chrome as
So you have a trusted AC locally self-firm.

now is time to create one cert per machine:

first you need to copy req.cnf to root to use in post generatin.
please edit as you needs:

Code: Select all

[ req ]
default_bits = 2048
default_keyfile = device.key
distinguished_name = subject
req_extensions = extensions
x509_extensions = extensions
string_mask = utf8only

[ subject ]
countryName = Country Name (2 letter code)
countryName_default = ES

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Madrid

localityName = Locality Name (eg, city)
localityName_default = Boadilla

organizationName = Organization Name (eg, company)
organizationName_default = local

commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default  = rnas.local

emailAddress = Email Address
emailAddress_default = yourmail@gmail.com

[ extensions ]
subjectKeyIdentifier = hash

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"

[ alternate_names ]
DNS.1 = rnas.local
DNS.2 = rnas
IP.1 =
As you can see 3 alternate names are used for my NAS
DNS.1 = rnas.local
DNS.2 = rnas
IP.1 =

that are Common Names for same machine and used only on my LAN ( On WAN you have CN like myNAS.duckdns.org or something simmilar)

Now is time to generate your key:

Code: Select all

openssl genrsa -out device.key 2048
now is time to generate device.csr:

Code: Select all

openssl req -new -key device.key -out device.csr -config req.cnf -sha256 -nodes
and type your real data for your NAS(Machine).

Now final steps is to generete cert self-signed with SAN names to do this:

Code: Select all

openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 1000 -extensions extensions -extfile req.cnf
and check that are all correct:

Code: Select all

openssl x509 -in device.crt -text -noout

now is time to load private key on XigmaNAS to use HTTPS:
use devicxe.key as private key
and device crt as certificate:

And the last step is to reboot to test.

now you can test several url ( like DNS1,2 & 3 in the cnf fiole)

eg: https://rnas.local


You do not have the required permissions to view the files attached to this post. (revision 6766)+OBI on SUPERMICRO X8SIL-F 8GB of ECC RAM, 12x3TB disk in 3 vdev in RaidZ1 = 32TB Raw size only 22TB usable

Last changes

Post Reply