[HowTo] Use a self-signed certificate for WebGUI

[carloskar]

Hi

I just wanted to share my experience with using a self-signed cert generated by openssl for the WebGUI (11.2.0.4 r5748).

When I first generated a self-signed cert using openssh I bumped into two problems.

The first problem was that the webgui didn't like my private key, gave me the error "The attribute 'Private key' does not appear to be a valid private key."
I just copy-pasted the key from the keyfile generated by openssl, but the problem was that the format of the openssl key was

Code: Select all

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

but the webgui was expecting

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Just adding RSA to the header and footer fixed that problem.

The next problem was that Chrome still didn't accept my certificate after adding it to the trusted root certificates, it gave me the error "NET::ERR_CERT_COMMON_NAME_INVALID".
This was solved by adding the subjectAltName extension to the certificate, see https://support.google.com/chrome/a/ans ... 1219?hl=en

My final procedure for creating a self-signed cert for my nas, called nas.local, was:

Code: Select all

$ openssl req -newkey rsa:4096 -nodes -keyout nas.local.key -out nas.local.csr
$ echo subjectAltName=DNS:nas.local > san.ext
$ openssl x509 -req -sha256 -extfile san.ext -days 3650 -in nas.local.csr -signkey nas.local.key -out nas.local.crt

[Shperrung]

Thank you for finding in required "RSA" in header and footer of a key.
It's relevant not only for self-signed certficates. My router's certificate Letsencrypt provided for DDNS (asuscomm.com) doesn't have "RSA" in a key. It have to be added manually for webgui N4F