I use the well explained method described here:
Spanish https://magmax.org/blog/creand…ntidad-certificadora-ssl/
English https://datacenteroverlords.co…sl-certificate-authority/
more info on: https://support.citrix.com/article/CTX227983
But I modified some things to use SAN: https://geekflare.com/san-ssl-certificate/
1 - Create a private key for CA
2 - self firm this key for CA
you generate 3 files on root (I use winSCP to show files):
1.jpg
This files must be saved in a safe place and uploaded to your Firefox and chrome as Autority:
2.jpg
So you have a trusted AC cert locally self-firm.
now is time to create one cert per machine using previously AC cert to firm:
first you need to copy req.cnf to root to use in post generation.
please edit as you needs:
[ req ]
default_bits = 2048
default_keyfile = device.key
distinguished_name = subject
req_extensions = extensions
x509_extensions = extensions
string_mask = utf8only
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = ES
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Madrid
localityName = Locality Name (eg, city)
localityName_default = Boadilla
organizationName = Organization Name (eg, company)
organizationName_default = local
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = rnas.local
emailAddress = Email Address
emailAddress_default = yourmail@gmail.com
[ extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ alternate_names ]
DNS.1 = rnas.local
DNS.2 = rnas
IP.1 = 192.168.1.103
Display More
As you can see 3 alternate names are used for my NAS
DNS.1 = rnas.local
DNS.2 = rnas
IP.1 = 192.168.1.103
that are Common Names for same machine and used only on my LAN ( On WAN
you have CN like myNAS.duckdns.org or something simmilar)
Now is time to generate your key:
now is time to generate device.csr:
Now final steps is to generete cert self-signed with SAN names to do this:
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 1000 -extensions extensions -extfile req.cnf
and check that are all correct:
now is time to load private key on OMV to use HTTPS:
use devicxe.key as private key
and device crt as certificate:
save and go to General settings, and select saved cert to use as HTTPS cert:
And the last step is to wait 2 minutes to test (because if you test too quickly a warning about time is show).
now you can test several url ( like DNS1,2 & IP.1 in the cnf file)
or