Mailinglist Archive: opensuse (769 mails)

< Previous Next >
Re: [opensuse] Firefox - on the security exceptions - self-signed certificates
  • From: Jan Ritzerfeld <suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Sat, 07 May 2016 17:52:32 +0200
  • Message-id: <16253053.BOJ4NDPsKR@karl>
Am Freitag, 6. Mai 2016, 12:58:05 schrieb Vojtěch Zeisek:
I set up Synology NAS server and allowed only HTTPS access for the web
interface. It has self-signed certificate, but as it is only for internal
purposes, it is not any problem.

Well, current browsers do not like self-signed certificates. So, I would
suggest that you create your own CA, deploy its certificate on all of the
internal clients, create a certificate for your NAS with matching SANs, and
sign it with your own CA certificate.
This will be pretty efficient if you want to secure multiple internal servers
because you only have to deploy exactly one certificate to get rid off all
the browser warnings. I did this for my NAS, printer, and router. If you
need any help, I will be happy to provide openssl configuration files and
the corresponding commands to create all of the above.

However, if "internal purposes" means that only a limited set of people
should access the Web Server of your NAS via a regular domain name then
upgrade to DSM 6 and use Let's Encrypt to remove the necessity of creating
and deploying any CA certificate at all. I cannot do it this way because my
NAS is accessible only via VPN, intentionally.

To think is easy and to act is hard, but the hardest thing in the world is
to act in accordance with your thinking.

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups