Last active
August 30, 2022 21:50
-
-
Save makeitcloudy/7078623c32fd0107763657413aea0918 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# px2-300d firmware version: 4.1.414.34909 | |
# 2022.08.30 | |
#Background: | |
#0. the whole process can be done in Windows, provided you have the openSSL library installed on your machine | |
#in my case it is: OpenSSL 1.1.1o 3 May 2022 | |
#In case due to some reason | |
#1. read this thread | |
Start-Process 'https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl' | |
#Crucial section starts from the paragraph: | |
#'As of 2022 with OpenSSL ≥ 1.1.1, the following command serves all your needs, including Subject Alternate Name (SAN):' | |
#2. this is the section of the code which helps calulating amount of days which left to the day 0 when the cert is going to expire | |
# in my case due to the overall convinience that the self signed certs (which are being used for the web services exposed locally) | |
# expire at the same point of time I tried to synchronize the timing with another cert which was already configured within the | |
# environment - 18th January 2025 - it's not a must you can skip this step, in case it does not add any added value for you | |
$now = get-date | |
New-TimeSpan -Start $now -end $(get-date('01.18.2025')) | |
(Get-Date).AddDays(872) | |
#3. Execute following command | |
openssl req -x509 -newkey rsa:2048 -sha256 -days 872 -nodes -keyout px2-300d.key -out px2-300d.crt -subj "/CN=nas.local" -addext "subjectAltName=DNS:nas.local,DNS:https://nas.local,IP:[IP_AddressOfYour-px2-300d-device]" | |
cat example.crt example.key > example.pem | |
Get-Content .\px2-300d.crt | clip | |
# copy the content of the px2-300d.crt (from the clipboard) to the px2-300d.pem file | |
Get-Content .\px2-300d.key | clip | |
# add the content of the px2-300d.key (from the clipboard) to the px2-300d.pem file | |
# now you are equipped with the pem px2-300d.pem file which can be uploaded into the Lenovo Dell EMC px2-300d device via the web interface | |
Start-Process 'https://[IP_AddressOfYour-px2-300d-device]/manage/security.html?cat=all' | |
# Local Network encryption (SSL): Not Required | |
# Remote Network encryption (SSL): Always | |
# Certificate settings: | |
# * Use the default certificate (we are not using this, due to the fact that we are willing to use our own self signed cert with Subject alt name etc) | |
# * Use an imported certificate [Browse, and upload the px3-300d.pem] | |
# then you should not receive any error message, and the engine should just digest the certificate properly | |
#4. CHECK the certificate on the device itself | |
# Enable diagnostic mode: | |
Start-Process 'https://[IP_AddressOfYour-px2-300d-device]/manage/diagnostics.html' | |
# configure values below, | |
# SSH Port: [preferedSshPortNumber] | |
# Root password: [prefered password used to access via ssh] | |
# Confirm Root Password: [prefered password to access via ssh] | |
# Once the Apply button has been hit, you are ready to login from your endpoint towards the px2-300d over SSH | |
ssh root@[IP_AddressOfYour-px2-300d-device] -p [preferedSshPortNumber] | |
# now the tricky piece, even though you configured the prefered password used to access via ssh, once you are logging in | |
# you have to add the string 'soho' as a prefix of the passwrord, otheriwse it will keep rejecting the pass | |
# imagine your password defined in the abovementioned gui was: lenovoMagic | |
# then during the ssh attempt with you use the password : soholenovoMagic | |
# do not ask me why is that, it is how it is | |
# at this point you should be able to run on your px2-300d following command | |
ls -lah /etc/ssl/certificates/ | |
# which will show you the crt files | |
# in my case I do have selfcert.crt and usercert.crt_1 | |
openssl x509 -text -noout -in /etc/ssl/certificates/usercert.crt_1 | |
openssl x509 -text -noout -in /etc/ssl/certificates/selfcert.crt | |
# I'm not sure at the moment whether the selfcert.crt was generated by using the option (use the default cert) as per the paragraph 3. | |
# But I'm convinced that the usercert.crt_1 is the one which was uploaded with the Browse button... | |
# this can be confirmed when you have a look into the section of | |
# X509v3 Subject Alternative Name: | |
# from the output of the abovementioned command | |
# at this stage if you are on the windows device, it's enough that you add the .cer certificate into the | |
# Trusted Root Certificates within the Local Computer store. | |
# I'm sure there are better and alternative ways (as I remember that with previous attempt has been doing this in different way) | |
# but at least the overall goal was achieved. | |
# That's it |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment