This article covers regenerating the self-signed certificate if browser shows the current certificate is expired and using a custom (CA authorized) certificate.
- Knowledge of OpenSSL commands
- Knowledge of CLI
- SSH server feature on NAS enabled
- SSH and SCP client on computer (Putty or WinSCP for Windows. Most Unix-like systems have these clients built-in.)
- Optional: Signed Certificate
Regenerating Self-Signed Certificate
If the built-in self-signed certificate has expired or you wish to customize the certificate the NAS uses, please do the following.
- Open SSH client
- SSH into NAS (e.g. ssh root@nas_ip_or_hostname)
- Type the following command to generate a certificate and key: openssl req -newkey rsa:2048 -nodes -keyout /etc/zyxel/cert/key/default_key.cer -x509 -days 3650 -out /etc/zyxel/cert/default.cer
- Provide info needed to generate the certificate
- Verify the certificate details with the following command: openssl x509 -text -noout -in /etc/zyxel/cert/default.cer
- Reboot the NAS
Use Custom Signed Certificate
If you have obtained a certificate from a CA to use with the NAS, please do the following to replace the certificate on the NAS with your signed cert.
- Make sure the certificate is using the correct extension required by NAS, CER.
- CRT and CER are interchangeable, rename the cert file "default.cer".
- If cert is using other extension check with your CA to see if they offer CRT/CER.
- Use openssl to convert your certificate to CER format. (e.g. openssl x509 -outform DER -in cert.pem -out default.cer)
- Place the default.cer file in the /etc/zyxel/cert/ directory. (e.g. "scp source_directory/default.cer root@nas_ip_or_hostname:/etc/zyxel/cert/", Windows users can drag and drop files using WinSCP)
- Place the default_key.cer file in the /ect/zyxel/cert/key directory. (e.g. "scp source_directory/default_key.cer root@nas_ip_or_hostname:/etc/zyxel/cert/key/", Windows users can drag and drop files using WinSCP)