I wanted to use my internal Active Directory Certificate Services server to create a certificate for a Synology NAS. The Synology needs the private key and the certificate to be in separate files.
I created the certificate by using the CA web interface https://my-ad-cs/certsrv and then choosing the following options:
- Request a certificate
- advanced certificate request
- Create and submit a request to this CA
- Template: Web Server (5 years) – note that this is a custom certificate template that I created that allows the private key to be exported. This enables the Mark keys as exportable option, which needs to be ticked.
- Fill in the identifying information, and leave all other options as default
Once the certificate was created, I installed it. I then opened certmgr.msc, found the certificate (under Personal – Certificates).
Next, I right-clicked the certificate, and chose All tasks – Export. I chose to export the private key, and under the .pfx option ticked Include all certificates in the certification path if possible. I set a password and saved the file.
Then I downloaded the latest version of OpenSSL and extracted the zip file.
I copied the pfx file into the folder where I’d extracted OpenSSL to, and opened a command prompt in that folder. I used the following two command lines to extract the private key and certificate from the pfx file.
openssl pkcs12 -in extracted.pfx -nocerts -out privatekey.pem -nodes openssl pkcs12 -in extracted.pfx -nokeys -out cert.pem
These two files were then uploaded to the Synology from Control Panel, Security, Certificate.
Once the certificate was installed, I selected it and clicked Edit, then ticked Set as default certificate. Finally, I clicked Configure and changed each of the services to use the new certificate. Upon clicking OK, the web services restarted and are now using my CA certificate.