Editing
Setup SSL on Synology NAS
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Create a self-signed SSL and root CA to sign the SSL == === Prerequisites === * Diskstation must have a fixed IP address on your LAN. * Ability to add or assign certificates to devices you want to approve your SSL. === Create certificate on DiskStation === * '''DSM''' > '''Control Panel''' > '''Security''' > '''Certificate''' * Click '''Add''' to start the process * Choose '''Create self-signed certficate''' * First create a Certificate Authority (CA) that will sign the site SSL '''Create Root Certificate''' * '''Private key length:''' 2048 * '''Common name:''' MyCA (Any name will do, but this name is how the certificate will be identified in Mac OS's Keychain Access (see below)) * '''Email:''' myemail@domain.com * '''Location:''' [US] United States of America * '''State/Province:''' [state name] * '''City:''' [city name] * '''Organization:''' myOrg (Any name will do) * '''Department:''' (Again, any name) * Click '''Next''' '''Create Certificate''' * '''Private key length:''' 2048 * '''Common name:''' [DiskStation static IP] * '''Email:''' myemail@domain.com * '''Location:''' [US] United States of America * '''State/Province:''' [state name] * '''City:''' [city name] * '''Organization:''' myOrg (Any name will do) * '''Department:''' (Again, any name) * '''Subject Alternative Name:''' [Diskstation static IP plus any aliases, separated by semicolons] * Click '''Apply''' Make the new certificate the default. * '''DSM''' > '''Control Panel''' > '''Security''' > '''Certificate''' * Select the new certificate in the list. * Click '''Configure''' * Select the certificate for '''System Default''' and any other relevant services. * Click '''Ok'''. * The web service will restart. === Renew existing certificate === * '''DSM''' > '''Control Panel''' > '''Security''' > '''Certificate''' * Select the new certificate in the list. * Click '''Renew''' ** Confirm the settings and renew. ==== Updating the certificate on remote machines ==== * '''DSM''' > '''Control Panel''' > '''Security''' > '''Certificate''' * Select the expired certificate in the list. * '''Action''' > '''Export certificate''' * It will prompt to save a zip file. The default name is `archive.zip`. Consider changing this to something more meaningful, e.g. `[NAS-HOST-NAME]-[YEAR].zip` * On the remote machine's file system, double click the archive to extract it. * On the remote machine (Mac OS), open '''Keychain Access'''. ** Find the expired certificate and delete it. This will require entering an admin password. ** Go into the folder where the exported certificate was saved. *** Double click `cert.pem`. *** On Mac OS, this will cause the certificate to be imported into the '''Keychain Access''' app. ** In '''Keychain Access''' double click the new certificate. *** Expand the '''Trust''' group. *** When using this certificate: `Always trust` *** Enter admin password when prompted. *** Close the dialog. * In Chrome enter: `https://[NAS-IP-ADDRESS]:5001` * Log in to the DSM. * Once logged in using the IP address, Chrome will accept the NAS's host name, i.e. `https://[NAS-HOSTNAME]:5001` === Trust the certificate authority locally === ==== Mac OS ==== Export the certificate. * '''DSM''' > '''Control Panel''' > '''Security''' > '''Certificate''' * Select the certificate in the list. * '''Action''' > '''Export certificate''' * Save the zip file locally and expand it. Add certificate issuer to keychain as a trusted certificate authority. * Double click on the certificate (`cert.pem`) to open the Mac OS '''Keychain Access''' app. * '''Add Certificate''' dialog will open automatically the first time the host is added. ** Set '''Keychain''' to "system". ** Click '''Add'''. ** Enter password into admin credentials prompt. * '''Keychain Access''' app > '''System Keychains''' group > '''System''' * Look for the host under '''Name''' and double click that line. ** Expand the '''Trust''' group. ** '''When using this certificate:''' Always trust ** Close the dialog. ** Enter password into admin credentials prompt.
Summary:
Please note that all contributions to Littledamien Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Littledamien Wiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
View history
More
Search
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Tools
What links here
Related changes
Special pages
Page information