-1

I'm operating several NAS devices on my employer's LAN. I do so with the employer's blessing, but I do not have control over the domain, and the devices are only available to a small working group on the LAN, and not accessible from outside the WAN (without a VPN, that is). They do have access to the internet, though, to obtain firmware updates.

I'm using https for the web interface (via non-standard port), which I use for administration, but which is also used by users to set their passwords and for some use cases, though most users use SMB or SFTP for access to their data. The devices come with a pre-installed, untrusted https certificate from Synology.

Is there a generally recommended way to deal with the fact that browsers complain about the untrusted certificates? The options, as far as I'm aware so far, are:

Create an exception

Every user needs to create an exception for each of the devices in their browser, on every device from which they would be connecting to them. I'm not completely sure how secure this would be. Does it mean that the browser will always accept any certificate for the given machine, or accept the same certificate from any machine, or will the exception only apply for the particular combination of certificate/device? And how smart is it to use the preinstalled manufacturer's certificate?

Generate my own certificate

Let's Encrypt is usually recommended to get a clean, valid certificate, but they require that I demonstrate control over some domain, so that's not going to work, as far as I can tell.

Will a self-signed certificate be okay? Would it be overkill to do as Mircea Vutcovici suggests here and make my own CA etc..?

I'm generally confused about the level of security which the different ways of proceeding would offer me. The NAS devices contain data which should not be available to most people on the LAN, but nothing we wouldn't be allowed to also store locally on our office computers, so we don't need crazy levels of security, but I'd like to be sure I'm not doing something stupid. Most users have little knowledge about network security, so getting all of them to install a custom certificate would likely cause a bunch of support questions -- but I'd probably bite that bullet if needed.

Zak
  • 99
  • 1
  • 1
    Work with your employer (network staff) to get Let's Encrypt working. If you have their blessing, they should work with you on this. – Sven May 12 '18 at 13:39
  • IT came back to me saying they can't issue certs themselves. Would have to ask some supplier to do it, for a recurring cost. They're also too understaffed for me to ask them any favours in terms of Let's Encrypt :( – Zak May 21 '18 at 10:29

1 Answers1

1

Have your certificate issued by a CA already trusted on the user's devices. TLS does not care whether this is an internal PKI or one managed by a third party.

Building your own CA only moves the self-signed problem around, users still don't trust your CA by default.

Recommend actually get a certificate for a test environment and use it.

Success is when there is no scary warnings to the user's browser. Alert fatigue is bad. Users do not know how to manage certificates.

John Mahowald
  • 32,050
  • 2
  • 19
  • 34
  • Potentially silly question: If I generate a cert for a test environment, won't all users have to install that in their browser for it to be trusted? Other than the cert being generated by me, wouldn't that be equivalent to getting them to trust the synology cert? – Zak May 21 '18 at 10:24