Certificates

This section allows you to create or import SSH keys or SSL certificates.

SSH (Secure Shell)

The public/private pair keys created or imported here are for using in the RSync client (jobs) service section. Plugins can use the internal database if they want to use these keys using the SSH certificates combo class. The key pair will be stored in the internal database, but only the public key will be available for display just by clicking edit. Not displaying the private key is basic ssh security as it never has to leave the host where it was created. The public key can be copied to clipboard or any other transport to be added to a remote server. Add a comment as this will be appended to the public key, this is important if you need to revoke the key pair in the remote server in case the server that generated the pair is compromised. The keys are stored beside the database in these two files:

  • Public key: /etc/ssh/openmediavault-<uuid_suffix>.pub
  • Private key: /etc/ssh/openmediavault-<uuid_suffix>

The <uuid> suffix is the internal openmediavault reference number.

Note

The public key is not displayed in RFC 4716. In case the remote server is also openmediavault based, you need to convert it the appropiate format.

SSL (Secure Socket Layer)

The SSL certificates created or imported here can be used by the web interface or FTP server. Plugins can also use them by adding the SSL certificate combo class. The create window has the most common SSL certificates fields. The certificate/private pair is stored in the internal database and as files in the Linux standard SSL location. Certificate file with a <uuid> suffix, which is the internal database number:

/etc/ssl/certificates/openmediavault-<uuid>.cert

Private key file with the same <uuid> suffix as their certificate pair.

/etc/ssl/private/openmediavault-<uuid>.key

When importing existing ssl certificates make sure they are formated/converted appropiatly.

The command that creates the certificate runs in the PHP backend and is documented here. This certificates are self signed, without root CA.

LetsEncrypt

Lets Encrypt certificates can be imported directly, just locate your /etc/letsencrypt/live/<mydomain.com>/fullchain,privkey.pem files and copy their contents in their respective field. No need to convert.