How to Add/Change Root Certificates

Owned by Former user (Deleted)
Last updated: Jan 18, 2023 by Sean Hastert

Purpose

This article provides the steps required in order to provide your own certifications to your SoftNAS instance.

Symptoms

An SSL certificate is necessary for more than just distributing the public key.  If it is signed by a trusted third-party, it verifies the identity of the server so clients know they aren’t sending their information (encrypted or not) to the wrong person.

What is a Self-Signed Certificate?

It is a certificate that is signed by itself rather than a trusted third party. This is not a good idea for most business use cases. You will almost never want to use a self-signed certificate on a public Apache server that requires anonymous visitors to connect to your site because they could easily become a victim of a man-in-the-middle attack.

When could a Self-Signed Certificate prove adequate?

  • Apache development server - There is no need to spend extra money buying a trusted certificate when you are just developing or testing an application.

  • Intranet - When clients only have to go through a local Intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.

  • Personal sites with few visitors - If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.

Final Take

In other words, when deploying your SoftNAS server into an enterprise use case, it may be required (or at least strongly recommended) that you switch the default self-signed certifications for your own enterprise certifications.

Resolution

If you want to send or receive messages signed by root authorities and these authorities are not installed on the server, you must add a trusted root certificate manually.

  • Append your trusted certificate, and set the desired path using the following commands:

    cp new.crt /etc/pki/tls/certs
cp new.key /etc/pki/tls/private/ca.key
cp new.csr /etc/pki/tls/private/ca.csr

  • Restart the service using the following command:

    service httpd restart

We now need to set up the Virtual Hosts to display the new certificate.

  • Open the SSL Configuration file using the following command:

    vi +/<SSL-Certificate-File> /etc/httpd/conf.d/ssl.conf


  • Change the paths to match where the key file is stored.  If you used the method above, it will be:

    <SSL-Certificate-File> /etc/pki/tls/certs/ca/crt


  • Set the correct path for the Certificate Key file below.  If you used the method above, it will be:

    <SSL-Certificate-Key-File> /etc/pki/tls/private/ca.key


  • Save and Quit the file.

  • Restart Apache using the following command:

    service httpd restart


Additional Info

It is HIGHLY recommended to add the certificates before configuring replication to avoid any SnapReplicate™ interruption, as changing the keys will deactivate replication.

Change Keys after Configuring SnapReplicate™

  • Erase the SSH fingerprints by using the following command:

    sed -I '/<OTHER-NODE-IP-ADDRESS>/d' .ssh/known_hosts


  • Add a new set of fingerprints by using the following command:

    ssh-keyscan <OTHER-NODE-IP-ADDRESS> >> .ssh/known_hosts


  • Log into the SoftNAS Web UI (StorageCenter) on both instances and try to activate HA again.

If you continue to experience issues, please contact Buurst Support for further assistance.