Using self-signed SSL certificates [For a Home NAS]

So you set up a home NAS with a bunch of services? Congrats!

In my case, I run a few services like portainer, nginx proxy manager, pihole and openmediavault.

The Nginx proxy manager (NPM) does a good job at routing the services to the right ports depending upon the url in the browser but I hate to see those ssl warnings when I try to access these services. So here is what I do to make the SSL warnings disappear. Since these services are not exposed to the Internet, I am free to use my own ssl certificates (that I sign with a custom root CA). Then I will just need to ask my clients to trust this custom root CA.

The first step is to create the root CA

On the server (any linux machine should do, but I used my server named disco)

First clean up any old data if needed

rm -rf ~/ca_disco
mkdir ~/ca_disco
cd ~/ca_disco

Now to the actual creation

openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -sha256 -days 365 -key ca-key.pem -out ca.pem

Note that you can specify a much longer validity by specifying a bigger number after the --days flag, but Apple's mobile operating systems do not like keys which are valid more than 1 year, so I limit it to 365 days. If you only use clients without this limitation, you might want to set a longer validity.

Now let's generate the required cert, I use wildcard for hostname (*.disco.local) so I can use the same cert for all my services

openssl genrsa -out cert-key.pem 4096
openssl req -new -sha256 -subj "/CN=ashiksdiscocn" -key cert-key.pem -out cert.csr
echo "subjectAltName=DNS:*.disco.local,IP:192.168.10.100" >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
openssl x509 -req -sha256 -days 365 -in cert.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf -CAcreateserial

The next step is to add the certificates to NPM via its webui. Go to NPM's  management webui at  <your_npm_ip>:81 and go to Hosts -> Proxy hosts. Go to the edit screen for each host by clicking the 3 dot menu on the right of each hostname and then clicking on Edit. Then Go to the SSL tab and add the  key and the cert (the files cert-key.pem and cert.pem that we generated in the previous step).

And finally now it's time to ask the clients to trust the new root certificate.

(scp the certificate to the client first)

To add the cert to the host's trusted store on macOS

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.pem

if you want to remove this cert from the trusted list later, then do

sudo security delete-certificate -c <name> /Library/Keychains/System.keychain

To find <name> of the cert to remove use

sudo security dump-keychain /Library/Keychains/System.keychain

and look at the output at the place where it says "labl"
(the last one is probably the one we added)

Note: Remember to change the name disco.local to your server's name and make sure that the VLAN / IPs are correct. Do not copy anything blindly.