Custom SSL Certificate

sperry1625 · April 7, 2020, 3:04pm

I have a custom SSL certificate that I would like to install on my WD My Cloud device. Are there instructions on how to go about doing this? I have a custom domain for my network and the devices on it and I access the My Cloud device via it’s FQDN (ex. mycloud.mydomain.com) but get a browser error that the certificate does not match. I have a certificate but do not know how to install it on the device. I know it should be done via SSH, but need the steps.

Thanks!

torch1 · April 8, 2020, 1:35pm

The question I have is why put SSL certs on the device(s) rather than the router that controls the network for your custom domain.
If you have the expertise to have a custom domain, you should be able to figure out how & where to install SSL certs. At least some on the MyCloud (gen.1) are in /etc/ssl/certs but you may be able to install in /etc/ss/private as well.

mstargard · March 27, 2022, 4:39pm

I just did this to mine. It’s just a debian system under the hood running apache2. These are my notes.

How to install custom SSL certs to wdmycloud.

# Make sure you have SSH access enabled. 
# You could lock yourself out of the web interface doing this.

# Apache is in /etc/apache2
# Find the certs
WDMyCloud:/etc/apache2# grep SSL */*

# The certs are kept here. Compare the certs with what the browser reports.
sites-available/wdnas-rest-api.conf:    SSLCertificateFile /var/www/rest-api/config/server.crt
sites-available/wdnas-rest-api.conf:    SSLCertificateKeyFile /var/www/rest-api/config/server.key
sites-enabled/wdnas-rest-api.conf:      SSLCertificateFile /var/www/rest-api/config/server.crt
sites-enabled/wdnas-rest-api.conf:      SSLCertificateKeyFile /var/www/rest-api/config/server.key


WDMyCloud:/etc/apache2# openssl x509 -in /var/www/rest-api/config/server.crt -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            01:60:3c:93:13:89
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=CS, L=Mountain View, O=Western Digital, OU=Branded Products, CN=remotewd.com
        Validity
            Not Before: Dec  9 18:39:19 2017 GMT
            Not After : Dec  9 18:39:19 2027 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Western Digital Corporation, OU=Branded Products, CN=device2840660-89aad99a.wd2go.com/emailAddress=admin@localhost.com
...

# On pfsense (or wherever you get your certs), 
# go to cert manager and create a new internal server cert.
# download the cert, key and cacert to the wdmycloud.
WDMyCloud:/etc/apache2# ls -l ~
total 12
-rwxrwx--- 1 mario 197121 2296 Mar 27 11:51 cacert.crt
-rwxrwx--- 1 mario 197121 2078 Mar 27 11:49 wdmycloud.crt
-rwxrwx--- 1 mario 197121 1704 Mar 27 11:49 wdmycloud.key

# We're going to overwrite what's there instead of renaming things. 

# Backup existing files.
WDMyCloud:/etc/apache2# ls -l /var/www/rest-api/config
total 56
drwxrwxr-x 3 root     www-data  4096 Nov  4 22:42 Windows
-rwxrwxr-x 1 root     www-data   484 Mar 27 10:20 dynamicconfig.ini
-rwxrwxr-x 1 root     www-data   484 Mar 27 10:20 dynamicconfig.ini_safe
-rwxrwxr-x 1 root     www-data 14074 Jun  1  2018 globalconfig.ini
drwxrwxr-x 9 root     www-data  4096 Nov  4 22:42 platformConfig
-rwxrwxr-x 1 root     www-data  5956 Mar 27 10:20 server.ca-bundle
-rw-r--r-- 1 www-data www-data  1187 Mar 27 10:24 server.crt
-rw-r--r-- 1 www-data www-data  1139 Mar 27 10:24 server.csr
-rw-r--r-- 1 www-data www-data  1704 Mar 27 10:24 server.key
drwxrwxr-x 3 root     www-data  4096 Nov  4 22:42 upgrade

WDMyCloud:/var/www/rest-api/config# tar zcvf original-wdmycloud-SSL-certs.tgz server.ca-bundle server.key server.crt

# Copy it off the wdmycloud and encrypt it because it contains a key.
$ rsync -Pa root@wdmycloud:/var/www/rest-api/config/original-wdmycloud-SSL-certs.tgz .
receiving incremental file list
original-wdmycloud-SSL-certs.tgz
          6,081 100%    5.80MB/s    0:00:00 (xfr#1, to-chk=0/1)
$ gpg -se original-wdmycloud-SSL-certs.tgz

You need a passphrase to unlock the secret key for
user: "xxx"
4096-bit RSA key, ID xx, created 2022-01-01 (main key ID xx)

# Put the new material into place.
WDMyCloud:/var/www/rest-api/config# cat ~/wdmycloud.crt > server.crt
WDMyCloud:/var/www/rest-api/config# cat ~/wdmycloud.key > server.key
## Note: Make sure the cacert appends correctly. May be missing a LF.
WDMyCloud:/var/www/rest-api/config# cat ~/cacert.crt >> server.ca-bundle

# Reboot or restart apache2
/etc/init.d/apache2 restart

# Check startup in log
cat /var/log/apache2/error.log

# Reload the web page in your browser.

Wierd_w · April 1, 2022, 10:24am

Keep in mind that gen2 myclouds have non-persistent storage, and will not retain the custom certificate.

There are ways to hijack an installed application (or rather, hijack its init script) on a gen2 mycloud to get the unit to either symlink in the certificates from a secure location in the persistent storage, or copy them into the volatile image when the unit boots.